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Authors' Abstract 



We show how to specify components of concurrent systems. The speci- 
fication of a system is the conjunction of its components' specifications. 
Properties of the system are proved by reasoning about its components. 
We consider both the decomposition of a given system into parts, and the 
composition of given parts to form a system. 
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1 Introduction 



Large systems are built from smaller parts. We present a method for deduc- 
ing properties of a system by reasoning about its components. We show how 
to represent an individual component Hi by a formula Si so that the parallel 
composition usually denoted cobegin Hi || ... || n„ coend is represented 
by the formula 5*1 A ... A Sn- Composition is conjunction. 

We reduce composition to conjunction not for the sake of elegance, but 
because it is the best way we know to prove properties of composite systems. 
Rigorous reasoning requires logic, and hence a language of logical formulas. 
It does not require a conventional programming language for describing sys- 
tems. We find it most convenient to regard programs and circuit descriptions 
as low-level specifications, and to represent them in the same logic used for 
higher-level specifications. The logic we use is TLA, the Temporal Logic of 
Actions [14]. We do not discuss here the important problem of translating 
from a low-level TLA specification to an implementation in a conventional 
language. 

The idea of representing concurrent programs and their specifications 
as formulas in a temporal logic was first proposed by Pnueli [18]. It was 
later observed that, if specifications allow "stuttering" steps that leave the 
state unchanged, then Si =^ Sh asserts that Si implements Sh [12]. Hence, 
proving that a lower-level specification implements a higher-level one was 
reduced to proving a formula in the logic. Still later, it was noticed that the 
formula 3x : S specifies the same system as S except with the variable x 
hidden [1, 13], and variable hiding became logical quantification. The idea 
of composition as conjunction has also been suggested [4, 5, 21], but our 
method for reducing composition to conjunction is new. 

To deduce useful properties of a component, we must specify its envi- 
ronment. No component will exhibit its intended behavior in the presence 
of a sufficiently hostile environment. For example, a combinational circuit 
will not produce an output in the intended range if some input line, instead 
of having a 0 or a 1, has an improper voltage level of 1/2. The specification 
of the circuit's environment must rule out such improper inputs. 

How we reason about a composite system depends on how it was formed. 
Composite specifications arise in two ways: by decomposing a given system 
into smaller parts, and by composing given parts to form a larger system. 
These two situations call for two methods of writing component specifica- 
tions that differ in their treatment of the environment. This difference in 
turn leads to different proof rules. 
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When decomposing a specification, the environment of each component 
is assumed to be the other components, and is usually left implicit. To 
reason about a component, we must state what we are assuming about its 
environment, and then prove that this assumption is satisfied by the other 
components. The Decomposition Theorem of Section 4 provides the needed 
proof rule. It reduces the verification of a complex, low-level system to 
proving properties of a higher-level specification and properties of one low- 
level component at a time. Decomposing proofs in this way allows us to 
apply decision procedures to verifications that hitherto required completely 
hand-guided proofs [11]. 

When specifying a reusable component, without knowing precisely where 
it will be used, we must make explicit what it assumes of its environment. 
We therefore assert that the component satisfies a guarantee M only as long 
as its environment satisfies an assumption E. This assumption/guarantee 
property [10] is denoted E % M. To show that a composition of reusable 
components satisfies a specification S*, we must prove a formula of the form 
[El % Ml) A ... A {En Mn) =?- S, where S may again be an assump- 
tion/guarantee property. We prove such a formula with the Composition 
Theorem of Section 5. This theorem allows us to reason about assump- 
tion/guarantee specifications using well-established, effective methods for 
reasoning about specifications of complete systems. 

In the following section, we examine the issues that arise in decomposi- 
tion and composition. Our discussion is informal, because we wish to show 
that these issues are fundamental, not artifacts of a particular formalism. 
We treat these topics formally in Sections 4 and 5. Section 3 covers the 
formal preliminaries. A comparison with related work appears in the con- 
clusion. Proofs are relegated to the appendix. 

2 An Informal Overview 

2.1 Decomposing Complete Systems 

A complete system is one that is self-contained; it may be observed, but 
it does not interact with the observer. A program is a complete system, 
provided we model inputs as being generated nondeterministically by the 
program itself. 

As a tiny example of a complete system, consider the following program, 
written in an informal programming-language notation in which statements 
within angle brackets are executed atomically. 
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Program GCD 

var a initially 233344, b initially 233577899 ; 
cobegin loop ( if a > 5 then a := a — b ) endloop 

loop ( if 5 > a then b := b — a ) endloop coend 

Program GCD satisfies tlie correctness property tliat eventually a and b 
become and remain equal to the gcd of 233344 and 233577899. We make 
no distinction between programs and properties, writing them all as TLA 
formulas. If formula Mgcd represents program GCD and formula Pgcd rep- 
resents the correctness property, then the program implements the property 
iff (if and only if) Mgcd implies Pgcd- Thus, correctness of program GCD is 
verified by proving Mgcd ^ Pgcd ■ 

In hierarchical development, one decomposes the specification of a sys- 
tem into specifications of its parts. As explained in Section 4, the specifica- 
tion Mgcd of program GCD can be written as Ma A M5, where Ma asserts 
that a initially equals 233344 and is repeatedly decremented by the value of 
b whenever a > b, and where M5 is analogous. The formulas Ma and M5 are 
the specifications of two processes Ua and 11;,. We can write Ua and 11;, as 



Process Ha 

output var a initially 233344; 
input var b ; 

loop ( if a > 5 then a := a — b ) 
endloop 



Process 11;, 

output var b initially 233577899 ; 
input var a ; 

loop ( if 5 > a then b := b — a) 
endloop 



One decomposes a specification in order to refine the components sep- 
arately. We can refine the GCD program, to remove simultaneous atomic 
accesses to both a and 5, by refining process Ha to 

Process 11^ 

output var a initially 233344; 
internal var ai ; 
input var b ; 

loop (at := b) ; if {a > ai) then {a := a — ai) endloop 

and refining 11;, to the analogous process 11^. 

The composition of processes 11^ and 11^ correctly implements program 
GCD. This is expressed in TLA by the assertion that M^ A M^ implies 
Ma A Mb, where M^ and Ml are the formulas representing 11^ and 11^. 
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We would like to decompose the proof of AM^ =^ MaAMf, into proofs 
of Ml =^ Ma and Ml =^ M5. These proofs would show that 11^ implements 
Ha and implements Hj,. 

Unfortunately, 11^ does not implement Ha because, in the absence of 
assumptions about when its input b can change, 11^ can behave in ways 
that process Ua cannot. Process Ua can decrement a only by the current 
value of 5, but Ha can decrement a by a previous value of 5 if 5 changes 
between the assignment to ai and the assignment to a. Similarly, 11^ does 
not implement Uf,. 

Process 11^ does correctly implement process Ha in a context in which 
b does not change when a > b. This is expressed in TLA by the formula 
Ea A Ml =^ Ma, where Ea asserts that b does not change when a > b. 
Similarly, Ef, A Ml =^ M5 holds, for the analogous Ef,. The Decomposition 
Theorem of Section 4.3 allows us to deduce Ml A Ml =^ Ma A M5 from 
approximately the following hypotheses: 

EaAMl^ Ma 

Eb A Ml ^ Mb (1) 

Ma/\Mb^ Ea/\ Eb 

The third hypothesis holds because the composition of processes Ua and Ub 
does not allow a to change when 5 > a or 5 to change when a > b. 

Observe that Ea asserts only the property of 11^ needed to guarantee that 
implements Ua- In a more complicated example, Ea will be significantly 
simpler than Ml, the full specification of 11^. Verifying these hypotheses will 
therefore be easier than proving Ml A Ml ^ Ma A Mb directly, since this 
proof requires reasoning about the specification Ml A Ml of the complete 
low-level program. 

One cannot really deduce Ml A Ml =^ Ma A Mb from the hypotheses 
(1). For example, (1) is trivially satisfied if Ea, Eb, Ma, and Mb all equal 
false; but we cannot deduce Ml A Ml =^ false for arbitrary Ml and M^'. The 
precise hypotheses of the Decomposition Theorem are more complicated, 
and we must develop a number of formal concepts in order to state them. 
We also develop results that allow us to discharge these more complicated 
hypotheses by proving conditions essentially as simple as (1). 

2.2 Composing Open Systems 

An open system is one that interacts with an environment it does not control. 
In our examples, we consider systems that communicate by using a standard 
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Figure 1: The two-phase handshake protocol for a channel c. 
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Figure 2: A queue. 



two-phase handshake protocol [15] to send values over channels. The state 
of a channel c is described by three components: the value c.val that is 
being sent, and two bits c.sig and c.ack used for synchronization. We let 
c.snd denote the pair {c.sig, c.val). Figure 1 shows the sequence of states 
assumed in sending the sequence of values 37, 4, 19, .... The channel 
is ready to send when c.sig = c.ack. A value v is sent by setting c.val 
to V and complementing c.sig. Receipt of the value is acknowledged by 
complementing c.ack. 

We consider an A^-element queue with input channel i and output chan- 
nel o. It is depicted in Figure 2. To describe the queue, we introduce the 
following notation for finite sequences: \p\ denotes the length of sequence p, 
which equals 0 if is empty; Head{p) and Tail{p) as usual denote the head 
(first element) and the tail of sequence p, if p is nonempty; and por denotes 
the concatenation of sequences p and r. Angle brackets are used to form 
sequences, so ( ) denotes the empty sequence and (e) denotes the sequence 
with e as its only element. With this notation, the queue can be written as 
in Figure 3. 

Let QM be the TLA formula that represents this queue process. It might 
seem natural to take QM as the specification of the queue. However, this 
specification would be difficult or impossible to implement because it states 
that the queue behaves properly even if the environment does not obey 
the communication protocol. For example, in a lower-level implementation, 
reading the input o.ack and setting the outputs o.sig and o.val would be 
separate actions. If the environment changed o.ack between these actions. 
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Process Queue: 

output var i.ack, o.sig initially 0, 

o.val] 

internal var q initially (); 
input var i.sig^ i.val, o.ack; 

cobegin / if (i.ack / i.sig) A (|g| < N) 

loop ( then q := q o i^i.val); ^ endloop 

i.ack := 1 — i.ack 



coend 



'if [o.ack = o.sig) A (|g| > 0) 
, , then o.val := head(q): , 
^°°P^ q:=taUiqy, ) endloop 

o.sig := 1 — o.sig 



Figure 3: A queue process. 



the implementation could violate the requirement that it change o.val only 
when o.ack = o.sig. This problem is not an artifact of our particular rep- 
resentation of the queue; actual hardware implementations of a queue can 
enter metastable states, consequently producing bizarre, unpredictable be- 
havior, if their inputs are changed when they are not supposed to be [15]. 

A specification of the queue should allow executions in which the queue 
performs correctly; it should not rule out bad behavior of the queue caused 
by the environment performing incorrectly. Such a specification can be writ- 
ten in the assumption/guarantee style, a generalization of the traditional 
pre/post-condition style for sequential programs. An assumption/guarantee 
specification asserts that the system provides a guarantee M if its environ- 
ment satisfies an assumption E. For the queue, M is the formula QM and 
E asserts that the environment obeys the communication protocol. 

It is not obvious how to reason about the composition of systems de- 
scribed by assumption/guarantee specifications. The basic problem is illus- 
trated by the simple case of two systems, one guaranteeing Mc assuming M^, 
and the other guaranteeing assuming Mc. Since each system guarantees 
to satisfy the other's environment assumption, we would like to conclude 
that their composition implements the specification Mc A M^ uncondition- 
ally, with no environment assumption. Can we? We attempt to answer this 
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Figure 4: A simple example. 



question by considering two simple examples, based on Figure 4. 
In the first example: 

• M° asserts that c always equals 0. 

• M° asserts that d always equals 0. 

We can implement these specifications with the following two processes. 
Process He Process 



output var c initially 0 ; 

input var d ; 

loop l^c := d) endloop 



output var d initially 0 ; 

input var c ; 

loop l^d := c) endloop 



Process He guarantees M° assuming M°, and process li^ guarantees M° 
assuming M°. Clearly, their composition leaves c and d unchanged, so it 
implements M° A Mj. 
In the second example: 

• Ml asserts that c eventually equals 1. 

• asserts that d eventually equals 1. 

The same processes He and implement the specifications in this case too; 
Process He guarantees Ml assuming Mj, and process li^ guarantees 
assuming Ml. However, since their composition leaves c and d unchanged, 
it does not implement Ml A Mj. 

Our conclusion in the first example does not depend on the particu- 
lar choice of processes He and H^. We can deduce directly from the as- 
sumption/guarantee specifications that the composition must implement 
M° A M°, because the first process to change its output variable would 
violate its guarantee before its assumption had been violated. This argu- 
ment does not apply to the second example, because violating Ml and 
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are sins of omission that do not occur at any particular instant. A property 
that can be made false only by being violated at some instant is called a 
safety property [6]. As the examples suggest, reasoning about the composi- 
tion of assumption/guarantee specifications is easiest when assumptions are 
safety properties. 

The argument that the composition should implement M° A M° in the 
first example rests on the requirement that a process maintains its guarantee 
until after the environment violates its assumption. In other words, we 
interpret the assumption/guarantee specification as an assertion that the 
guarantee M can become false only after the assumption E becomes false. 
We write this assertion as the formula E % M. Section 5 discusses this 
form of specification. 

Our rules for reasoning about the composition of assumption/guarantee 
specifications are embodied in the Composition Theorem of Section 5.2. 
With the Composition Theorem, we can prove that the conjunction of the 
assumption/guarantee specifications M° % M° and M° % M° implies 
M° A M°. We can also prove more substantial results — for example, that 
the composition of queues implements a larger queue. Verifying the hy- 
potheses of the theorem requires reasoning only about complete systems, 
so the theorem allows us to handle assumption/guarantee specifications as 
easily as complete-system specifications. 

3 Preliminaries 
3.1 TLA 

3.1.1 Review of the Syntax and Semantics 

A state is an assignment of values to variables. (Technically, our variables 
are the "fiexible" variables of temporal logic that correspond to the variables 
of programming languages; they are distinct from the variables of first-order 
logic.) A behavior is an infinite sequence of states. Semantically, a TLA 
formula F is true or false of a behavior; we say that F is valid^ and write 
\= F, iff it is true of every behavior. Syntactically, TLA formulas are built 
up from state functions using Boolean operators (-■, A, V, =^ [implication], 
and = [equivalence]) and the operators ', □, and 3, as described below. 

A state function is like an expression in a programming language. Se- 
mantically, it assigns a value to each state — for example 3 -|- a; assigns to 
state s three plus the value of the variable a; in s. A state predicate is a 
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Boolean- valued state function. An action is a Boolean- valued expression 
containing primed and unprimed variables. Semantically, an action is true 
or false of a pair of states, with primed variables referring to the second 
state — for example, x -\- 1 > y' is true for (s, t) iff the value of a; -|- 1 in s 
is greater than the value of y m t. A pair of states satisfying action A is 
called an A step. We say that A is enabled in state s iff there exists a state 
t such that (s, t) is an A step. We write /' for the expression obtained by 
priming all the variables of the state function /, and [A]f for Ay {f = f), 
so an [A]f step is either an A step or a step that leaves / unchanged. 

As usual in temporal logic, if F is a formula then OF is a formula that 
means that F is always true. Using □ and "enabled" predicates, we can 
define fairness operators WF and SF. The weak fairness formula WFy{A) 
asserts of a behavior that either there are infinitely many A steps that change 
V, or there are infinitely many states in which such steps are not enabled. 
The strong fairness formula SF^,(yl) asserts that either there are infinitely 
many A steps that change v, or there are only finitely many states in which 
such steps are enabled. 

The formula 3x : F essentially means that there is some way of choosing 
a sequence of values for x such that the temporal formula F holds. We think 
of 3a; : F as "F with x hidden" and call x an internal variable of 3x : F. If 
a; is a tuple of variables {xi, . . . , x^), we write 3x : F for 3xi : . . .3xk ■ F. 

The standard way of specifying a system in TLA is with a formula in 
the "canonical form" 3x : Init A □[A/']^, A L, where Init is a predicate and L 
a conjunction of fairness conditions. This formula asserts that there exists 
a sequence of values for x such that Init is true for the initial state, every 
step of the behavior is an A/" step or leaves the state function v unchanged, 
and L holds. For example, the specification Mgcd of the complete high-level 
GCD program is written in canonical form by taking^ 

Init = (a = 233344) A (5 = 233577899) 
M A V (a > 5) A (a' = a - 5) A (5' 
V (5 > a) A (b' = b- a) A (a' 
V = (a, b) 
L = WF^A^) 

Intuitively, a variable represents some part of the universe and a behavior 

^We let a list of formulas buUeted with A or V denote the conjunction or disjunction 
of the formulas, using indentation to eliminate parentheses. We also let ^ have lower 
precedence than the other Boolean operators. 
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represents a possible complete history of the universe. A system 11 is repre- 
sented by a TLA formula M that is true for precisely those behaviors that 
represent histories in which 11 is running. We make no formal distinction 
between systems, specifications, and properties; they are all represented by 
TLA formulas, which we usually call specifications. 

3.1.2 Interleaving and Noninterleaving Representations 

When representing a history of the universe as a behavior, we can describe 
concurrent changes to two objects ^ and ip either by a single simultaneous 
change to the corresponding variables x and y, or by separate changes to x 
and y in some order. If the changes to ^ and ip are directly linked, then it 
is usually most convenient to describe their concurrent change by a single 
change to both x and y. However, if the changes are independent, then we 
are free to choose whether or not to allow simultaneous changes to x and y. 
An interleaving representation is one in which such simultaneous changes 
are disallowed. 

When changes to ^ and ip are directly linked, we often think of x and 
y as output variables of a single component. An interleaving representation 
is then one in which simultaneous changes to output variables of different 
processes are disallowed. The absence of such simultaneous changes can be 
expressed as a TLA formula. For a system with n components in which Vi 
is the tuple of output variables of component i, interleaving is expressed by 
the formula 

Disjoint{vi, . . . , u„) = /\ □[(u- = v,) V {v'^ = Wj)]^n^'j> 

We have found that, in TLA, interleaving representations are usually eas- 
ier to write and to reason about. Moreover, an interleaving representation 
is adequate for reasoning about a system if the system is modeled at a suffi- 
ciently fine grain of atomicity. However, TLA also works for noninterleaving 
representations. 

3.1.3 The Queue Example 

We now give a TLA specification of the queue of natural numbers of length 
N , which was described informally in Section 2.2 and illustrated in Figure 2. 
As in Section 2.2, we write c.snd for the pair {c.sig, c.ack) for a channel c; 
we also write c for the triple {c.sig, c.ack, c.val). 
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Figure 5: The complete system of queue plus environment. 



A channel is initially ready for sending, so the initial condition on wire 
c is the predicate CInit{c) defined by 

CInit{c) = {c.sig = c.ack = 0) 

The operations of sending a value v and acknowledging receipt of a value on 
channel c are represented by the following Send{\/,c) and Ack{c) actions. 



Send[v, c) = A csig - 
A c.snd' 
A c.ack' 



- c.ack Ack[c) = 

= (v, 1 - c.sig) 
= c.ack 



A c.sig / c.ack 

A c.ack' = 1 — c.ack 

A c.snd' = c.snd 



To represent the queue as a complete system, we add an environment that 
sends arbitrary natural numbers over channel i and acknowledges values on 
channel o. The resulting complete system is shown in Figure 5. 

The TLA formula CQ specifying the queue is defined in Figure 6. It has 
the canonical form 3x : Init A □[A/']^, A L, where: 

X is the internal variable g, which represents the sequence of values received 
on the input channel i but not yet sent on the output channel o. 

Init is written as the conjunction InitE A InitM of initial predicates for 
the environment and component. (We arbitrarily consider the initial 
conditions on a channel to be part of the sender's initial predicate.) 

A" is the disjunction of two actions: Qmj describing the steps taken by 
the component, and Qe A {q' = g), describing steps taken by the 
environment (which leave q unchanged). Action Qm is the disjunction 
of actions Enq and Deq. An Enq step acknowledges receipt of a value 
on i and appends the value to g; it is enabled only when q has fewer 
than N elements. A Deq step removes the first element of q and sends 
it on o. Action Qe is the disjunction of Put^ which sends an arbitrary 
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number on channel i, and Get, which acknowledges receipt of a number 
on channel o. 

V is the tuple {i, o, q) of all relevant variables.^ 

L is the weak-fairness condition WF^j ^^^^(Qm)! which asserts that a com- 
ponent step cannot remain forever possible without occurring. It can 
be shown that a logically equivalent specification is obtained if this 
condition is replaced with WF^j ^^^^(ii'ng) A WF^j o^g^(_Deg). 

Formula CQ gives an interleaving representation of a queue; simultaneous 
steps by the queue and its environment are not allowed. Moreover, simul- 
taneous changes to the two inputs i.snd and o.ack are disallowed, as are 
simultaneous changes to the two outputs i.ack and o.snd. In Section 4, we 
describe a noninterleaving representation of the queue. 

3.2 Implementation 

A specification M' implies a specification M iff every behavior that satisfies 
M' also satisfies M, hence proving M' =^ M shows that the system II' 
represented by M' implements the system or property 11 represented by M. 
The formula M' =^ M is proved by applying a handful of simple rules [14]. 
When M has the form 3 x : M, a key step in the proof is finding a refinement 
mapping — a tuple of state functions x such that M' implies M, where M 
is the formula obtained by substituting x for x in M. Under reasonable 
assumptions, such a refinement mapping exists when M' ^ 3x : M IS 
valid [1]. 

As an example, we show that the system composed of two queues in 
series, shown in Figure 7, implements a single larger queue. We first specify 
the composite queue. Let F[ei/vi, . . . , e„/f„] denote the result of (simulta- 
neously) substituting each expression ei for Vi in a formula F. For example, 
if Get is defined as in Figure 6, then Get[z/i] equals Ack{o) A {z' = z). For 
any formula F, let 

^ F[z/o,q,/q] F^'^ ^ F[z/z, q2/q] 

In Figure 8, the specification CDQ of the complete system, consisting of the 
double queue and its environment, is defined in terms of the formulas from 
Figure 6. We think of the complete system as containing three components: 

^Informally, we write (i, o, q) for the concatenation of the tuples i, o, and (g). 
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Figure 6: The specification CQ of the complete queue. 
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Figure 7: A complete system containing two queues in series. 
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A InitE A Init^ll A Init^^ 



A □ 



y Qe /\ {qi, q2, z)' = {qi, q2, z) 

V Q2J A (g2, o)'= (g2, o) 

V QS A (gi, ^)'= (gi, i) 



CDQ 



{%,o,z, qi,q2) 



Figure 8: Specification of the complete double-queue system of Figure 7. 

the environment and the two queues. The initial condition is the conjunction 
of the initial conditions of each component. The next-state action consists 
of three disjuncts, representing actions of each of the three components that 
leave other components' variables unchanged. Finally, we take as the liveness 
condition the conjunction of the fairness conditions of the two queues. 

We now show that the composite queue implements a (2A^ -|- l)-element 
queue. (The arises because the internal channel z acts as a buffer 

element.) The correctness condition is CDQ =^ C'Q^^^^\ where 

p[dh\] denotes 

F[(2A^ -|- 1)/A^], for any formula F. This is proved by showing ICDQ =^ 
ICQ^^^^\ with the refinement mapping defined by 

g = if z.sig = z.ack then qi o g2 

else qi o l^z.val) o g2 



The formula ICDQ 
ing [14]. 



ICQ^'^^'^ can be proved by standard TLA reason- 
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3.3 Conditional Implementation 

Instead of proving that a specification M' implements a specification M, 
we sometimes want to prove the weaker condition that M' implements M 
assuming a formula G. In other words, we want to prove G =^ (M' =^ M), 
which is equivalent to G A M' =^ M. The formula G may express one or 
more of the following: 

• A law of nature. For example, in a real-time specification, G might 
assert that time increases monotonically. Letting the current time be 
represented by the variable now, this assumption is expressed by the 
formula {now G R) A n[now' G {now,oo)]now, where R is the set of 
real numbers. 

• An interface refinement, where G expresses the relation between a low- 
level tuple / of variables and its high-level representation as a tuple h 
of variables. For example, / might be a low-level interface representing 
the transmission of sequences of bits over a wire, and h could be the 
high-level interface in which the sending of seven successive bits is 
interpreted as the transmission of a single ASCII character. 

• An assumption about how reality is translated into the formalism of 
behaviors. In particular, G may assert an interleaving assumption — 
for example, an assumption of the form Disjoint {vi, . . . , 

Conditional implementation, with an explicit formula G, is needed only for 
open systems. For a complete system, the properties expressed by G can 
easily be made part of the system specification. For example, the system 
can include a component that advances time. In contrast, it can be difficult 
to include G in the specification of an open system. 

3.4 Safety and Closure 
3.4.1 Definition of Closure 

A finite sequence of states is called a finite behavior. For any formula F 
and finite behavior p, we say that p satisfies F iS p can be extended to an 
infinite behavior that satisfies F. For convenience, we say that the empty 
sequence ( ) satisfies every formula. 

A safety property is a formula that is satisfied by an infinite behavior 
a iff it is satisfied by every prefix of a [6]. For any predicate Init, action 
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A/", and state function v, the formula Init A □[A/']^, is a safety property. It 
can be shown that, for any TLA formula F, there is a TLA formula C{F), 
called the closure of F, such that a behavior a satisfies C{F) iff every prefix 
of a satisfies F. Formula C{F) is the strongest safety property such that 

3.4.2 Machine Closure 

When writing a specification in the form Init A □[A/']^, A L, we expect L to 
constrain infinite behaviors, not finite ones. Formally, this means that the 
closure of Init A □[A/']^, A L should be Init A □[A/']^,. A pair of properties 
{P, L) is called machine closed iff C{P A L) equals P [1]. (We often say 
informally that P A L is machine closed.) 

Proposition 1 below, which is proved in [2], shows that we can use fairness 
properties to write machine-closed specifications. The proposition relies on 
the following definition: an action A is a subaction of a safety property P 
iff for every finite behavior p = (ro, . . . , if p satisfies P and A is enabled 
in state r„, then there exists a state r„_|_i such that (ro, . . .,r„_|_i) satisfies 
P and (r„, is an A step. If A implies A/", then A is a subaction of 

Init A □[A/']^. 

Proposition 1 If P is a safety property and L is the conjunction of a 
countable number of formulas of the form WFy^{A) and/or SFy^{A) such 
that A A {w' / w) is a subaction of P, then {P, L) is machine closed. 

3.4.3 Closure and Hiding 

Several of our results have hypotheses of the form C{Mi) A ... A C(M„) =^ 
C{M). The obvious first step in proving such a formula is to compute the 
closures C{Mi), . . . , C(M„), and C{M). We can use Proposition 1 to com- 
pute the closure of a formula with no internal variables. When there are 
internal variables, the following proposition allows us to reduce the proof of 
C{Mi) A . . .AC{Mn) =^ C{M) to the proof of a formula in which the closures 
can be computed with Proposition 1. 

Proposition 2 Let x, xi, . . ., Xn be tuples of variables such that for each 
i, no variable in Xi occurs in M or in any Mj with i j . 

n n 

If ^ /\ C{M,) ^ 3a; : C{M), then ^ /\ C{^x, : M,) =^ C{3x : M). 

8 = 1 8 = 1 

Proofs are in the appendix. 
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3.5 Additional Temporal Operators 

We now define some additional temporal operators. Although they can be 
expressed in terms of the primitive TLA operations ', □, and 3, we define 
them semantically. 

3.5.1 + 

The formula E^y asserts that, if the temporal formula E ever becomes false, 
then the state function v stops changing. More precisely, a behavior a 
satisfies E^y iff either a satisfies E, or there is some n such that E holds for 
the first n states of a, and v never changes from the (ra+l)st state on. When 
E IS a safety property in canonical form, it is easy to write E^y explicitly: 

Proposition 3 If x is a tuple of variables none of which occurs in v, and 
s is a variable that does not occur in Init, M , w, v, or x, and 

Mt = {Init A (s = 0)) V {^Init A (s = 1)) 

M = V (s = 0) A V (s' = 0) A (A/" V (w' = w)) 
V (s' = 1) A -^{AfV {w' = w)) 
V (s = 1) A (s' = 1) A {v' = v) 

then \= (3 X : Init A 0[J\r\yj) _^_y = 3 x, s : Init A 0[J\r\(^^^^^ 

We need to reason about + only to verify hypotheses of the form \= C{E)^yA 
C(M') =^ C{M) in our Decomposition and Composition Theorems. We can 
verify such a hypothesis by first applying the observation that C{E)^y equals 
C{E^y) and using Proposition 3 to calculate E^y. However, this approach 
is necessary only for noninterleaving specifications. Proposition 4 below 
provides a way of proving these hypotheses for interleaving specifications 
without having to calculate E^y. 

3.5.2 -t> 

For temporal formulas E and M, the formula E -t> M asserts that M holds 
at least as long as E does [4]. More precisely E -t> M \s true of a behavior a 
iff =^ M is true of a and of every finite prefix of a. Thus, E -t> M equals 
{C{E) -t> C{M)) A {E =?- M). The operator -l> acts much like ordinary 
implication. In fact, \= E -t> M \s equivalent io \= E =?- M. Of course, it is 
not in general true that \= {E -> M) = {E ^ M). 
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3.5.3 % 



As we observed in the introduction, we interpret the specification that M is 
guaranteed under assumption E as the formula E % M, which means that 
M holds at least one step longer than E does. More precisely, E ^ M \s 
true of a behavior ci iff =^ M is true of a and, for every ra > 0, if holds 
for the first n states of ci, then M holds for the first ra+1 states of a. Thus, 
E ±i>M equals {C{E) ±t> C{M)) A{E^ M). 

The formula E ^ M is stronger than E -t> M, which asserts that M 
holds as long as E does. If is a safety property, then E ^ M equals 
(M -t> E) -t> M. If E and M are both safety properties and u is a tuple of 
variables containing all free variables of M, then E ^ M equals E^y -t> M. 



3.5.4 ± 

The specification M of a component can be made false only by a step that 
changes the component's output variables. In an interleaving representation, 
we do not allow a single step to change output variables of two different 
components. Hence, if E and M are specifications of separate components, 
we expect that no step will make both E and M false. More precisely, we 
expect E and M to be orthogonal where E J- M is true of a behavior 
a iff there is no ra > 0 such that E and M are both true for the first n 
states of a and both false for the first ra+1 states of ci. If E and M are 
safety properties, then E J- M equals {E A M) % (i? V M). For arbitrary 
properties, E ± M equals C{E) 1 C{M). 

If no step falsifies both E and M, and M remains true as long as E 
does, then M must remain true at least one step longer than E does. Hence, 
E J- M implies the equivalence of E -t> M and E % M. In fact, {E % 
M) = {E -t> M) A (i? _L M) is valid. From this and the relation between 
% and +, we can derive: 

Proposition 4 If E, M , and R are safety properties, and v is a tuple of 
variables containing all variables that occur free in M , then \= E A R M 
and^ R^ E ± M imply ^ E+y AR^ M. 

This proposition enables us to use orthogonality to remove + from proof 
obligations. To apply the proposition, we must prove the orthogonality of 
component specifications. We do this for interleaving specifications with the 
following result. 
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Proposition 5 

// ^C{E) = ImtE A □[A/'i^](.,e> 

^C(M) = InitM A n[MM]{y,m) 

then 

\= {3x : InitE V 3?/ : InitM) A Disjoint {e, m) =^ C(3a; : i?) ± C{3y : M) 

4 Decomposing a Complete Specification 

4.1 Specifying a Component 

Let us consider how to write the specification M of one component of a 
larger system. We assume that the free variables of the specification can be 
partitioned into tuples m of output variables and e of input variables; the 
component changes the values of the variables of m only. (A more general 
situation is discussed below.) The specification of a component has the same 
form 3x : Init A □[A/']^, A L as that of a complete system. For a component 
specification: 

V is the tuple {x, m, e). 

Init describes the initial values of the component's output variables m and 
internal variables x. 

M should allow two kinds of steps — ones that the component performs, and 
ones that its environment performs. Steps performed by the compo- 
nent, which change its output variables m, are described by an action 
Nm- In an interleaving representation, the component's inputs and 
outputs cannot change simultaneously, so Mm implies e' = e. In a 
noninterleaving representation, Mm does not constrain the value of e', 
so the variables of e do not appear primed in Nm- In either case, we 
are specifying the component but not its environment, so the speci- 
fication should allow the environment to do anything except change 
the component's output variables or internal variables. In other words, 
the environment is allowed to perform any step in which (m, x)' equals 
(m, x). Therefore, M should equal Mm V ((m, x)' = (m, x)). 

L is the conjunction of fairness conditions of the form WF^^ ,^,^(^1) and 
'SF (^m,x){^)- For ^-n interleaving representation, which by definition 
does not allow steps that change both e and m, the subscripts (m, x) 
and (e, m, x) yield equivalent fairness conditions. 



19 



This leads us to write M in the form 

M = 3x : Init A □[AC V ((m, x)' = (m, a;))]^e,m, i;) A L (3) 
By simple logic, (3) is equivalent to 

M = 3x : Init A 0[M.m]{m,x} A L (4) 

For the specification Ma of process ]!„ in the GCD example, x is the 
empty tuple (there is no internal variable), the input variable e is b, the 
output variable m is a, and 

Inita = a = 233344 

Ma = {a>b) A {a' = a-b) A {V = b) (5) 

Ma = Inita A U[Ma]a A WF^A/;) 

For the specification of the low-level process 11^, the tuple x is (a«, pea), 
where pea is an internal variable that tells whether control is at the beginning 
of the loop or after the assignment to ai. The specification has the form 

M[ = 3ai, pea : Init'a A □[A/'^](a, m,pca> A WF^ 

a, ai, pea) {K) (6) 

for appropriate initial condition Init^a ^'^'^ next-state action Af^. The speci- 
fications Mfe and M^' are similar. 

In our queue example, we can write the specifications of both the queue 
and its environment as separate components in the form (4). For the queue 
component, the tuple m of output variables is {i.aek, o.snd), the tuple e of 
input variables is {i.snd, o.aek), and the specification is 

IQM = InitM A 0[QM](^,,ack, o.snd, q) A ICL 

QM = 3q: IQM 

The specification of the environment as a separate component is 

QE = InitE A 0[QE](^,,,„d, o.ack) (8) 

We have provided specifications of the queue and its environment in an 
interleaving representation. A noninterleaving representation of the queue 
can be obtained by modifying its specification as follows. 
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InitM = CInit{o) A (?=()) 

Enq"' = /\ \q\< N 

A Ack{i) A {q' = qo {i.val)) 
A o.snd' = o.snd 

Deq"' = A |g| > 0 

A Send{Head{q) , o) A = Tail{q)) 
A i.ack' = j.acfc 

DeqEnq"' = A (|g| > 0) A Send {Head {q),o) 
A ^cA;(i) 

A q' = Tail{q) o (i.val) 
Q^} = £'ng"'' V i^eg"'' V DeqEnq"' 

IQM"' = /ni^M A □[QM](,.ac/;, o.snd, g> A WF^, .^c/;, o.snd, g> (Qm) 



Figure 9: A noninterleaving representation of the queue component. 

• Change the Enq and Deq actions so they do not constrain the values 
of i.snd' or o.ack'. 

• Define an action DeqEnq that simultaneously enqueues an input value 
and dequeues an output value, and change the definition of Qm to 
have DeqEnq as an additional disjunct. 

The resulting specification QM"' is given in Figure 9. A noninterleaving 
representation of the queue's environment can be obtained in a similar fash- 
ion. 

We have been assuming that the visible variables of the component's 
specification can be partitioned into tuples m of output variables and e of 
input variables. To see how to handle a more general case, let /^m be the 
action m' / m, let v equal (e, m), and observe that [N'M]{m.,x) equals [A/m V 
(~'MMA(a;' = x))](^y^^y A jim step is one that is attributed to the component, 
since it changes the component's output variables. When the tuple v of 
variables is not partitioned into input and output variables, we define an 
action jim that specifies what steps are attributed to the component, and we 
write the component's next-state action in the form Am V (-■/Um A {x' = x)). 
All our results for separate input and output variables can be generalized 
by writing the next-state action in this form. However, for simplicity, we 
consider only the special case. 
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4.2 Conjoining Components to Form a Complete System 



In Section 3.1, we describe how to specify a complete system. In Section 4.1, 
we describe how to specify an individual component of a system. A complete 
system is the composition of its components. Composing two systems means 
constructing a universe in which they are both running. If formulas Mi and 
M2 represent the two systems, then Mi A M2 represents their composition, 
since a behavior represents a possible history of a universe containing both 
systems iff it satisfies both Mi and M2. Thus, in principle, composition is 
conjunction. We now show that composition is conjunction in practice as 
well. 

For composition to be conjunction, the conjunction of the specifications 
of all components should be equivalent to the specification of the complete 
system. For example, the conjunction of the specifications QM of the queue 
and QE of its environment should be equivalent to the specification CQ of 
the complete system shown in Figure 5. Recall that 



We deduce the equivalence of QE A QM and CQ from the following result, 
by substituting QE for Mi and QM for M2. (In this case, xi is the empty 
tuple (), so X2 equals () and X2 = X2 equals true.) 

Proposition 6 Let nii, . . . , m„, xi, . . . , Xn be tuples of variables, and let 



QE 
QM 
CQ 



InitE A a[QE\{^. snd, o.ack) 
3q:InitM A □[QM](,.ac/;, o.sni, g> 

3q : A InitE A InitM 



A ICL 



V Qe A {q' = q) 



y Qm 

A ICL 



A / \ A 



) 




M, = 3xr-Init, A □[A/;-]^„^^^^) A L, 



If, for all i, j = 1, . . . , n with i / j : 

1. no variable of Xj occurs free in Xi or Mi. 



2. m includes all free variables of Mi. 



3. \= N^ => (m' = nij) 
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then 



^ /\M, = 3x: /\ IniU A a[\/ A {S'^ = A /\ L, 

i=l i=l i=l i=l 

In this proposition, hypothesis 3 asserts that component i leaves the vari- 
ables of other components unchanged, so Mi is an interleaving representa- 
tion of component i. Hence, Mi implies Disjoint{mi, nij) , for each j / i, 
and Ar=i implies Disjoint{mi, . . . , m„), as expected for an interleaving 
representation of the complete system. 

In the GCD example, we apply this proposition to the formula Ma of 
(5) and the analogous formula M5. We immediately get that Ma A M5 is 
equivalent to a formula that is the same as Mgcd, defined by (2), except with 
yVFi^a,b){-^a) A WF^„^5^(A/6) instead of WFi^a,b){-^) ■ It can be shown that 
these two fairness conditions are equivalent; hence. Ma A M5 is equivalent 

to Mgcd- 

As another example of decomposition, we consider the system of Fig- 
ure 7, consisting of two queues in series together with an environment. This 
system can be decomposed into three components with the following speci- 
fications. 

1st queue: 3qi : Init^lj A □[Q^ A (o' = o)]^,.^,^^^.,^^^,^) A /CL^ 

2nd queue: 3q2 : Init^^ A a[Q^S ^ {i' = i)]{,.ack, o.snd,q2} A ICL^^^ 
environment: InitE A □[Q^; A {z' = z)]i^,^,„d, o.ack) 

To obtain an interleaving representation, we have conjoined o' = o to q}-^ 

in the first queue's next-state action, because q}-^ does not mention o. Sim- 
ilarly, we have conjoined i' = i to the second queue's next-state action, and 
2:' = 2: to the environment's. It follows from Proposition 6 that the con- 
junction of these three specifications equals the specification CDQ of the 
complete system, defined in Figure 8. 

Hypothesis 3 of Proposition 6 is satisfied only by interleaving represen- 
tations. For arbitrary representations, a straightforward calculation shows 

n 

^ /\M, = 3x:A/^^,Imt, (9) 

A Ar=i 

assuming only the first hypothesis of the proposition. The right-hand side 
has the expected form for a noninterleaving specification, since it allows 
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steps for i / j. Hence, composition is conjunction for noninterleaving 
representations too. 

4.3 The Decomposition Theorem 
4.3.1 The Basic Theorem 

Consider a complete system decomposed into components Hi. We would like 
to prove that this system is implemented by a lower-level one, consisting of 
components II', by proving that each II' implements Hi. Let Mi be the 
specification of Hi and M/ be the specification of II'. We must prove that 
f\i-i Ml implies AiLi ^i- This implication is trivially true if M/ implies M„ 
for all i. However, as we saw in the GCD example, M/ need not imply Mi. 

Even when Ml => M, does not hold, we need not reason about all the 
lower-level components together. Instead, we prove E,/\Ml =^ M,, where Ei 
includes just the properties of the other components assumed by component 
i, and is usually much simpler than Afc^^i ^i- Proving EiAMl =^ Mi involves 
reasoning only about component i, not about the entire lower-level system. 

In propositional logic, to deduce that AiLi ^l implies AiLi from 
Kt=i{Ei A Ml Mi), we may prove that Afc=i Ml implies E, for each i. 
However, proving this still requires reasoning about Afc=i the specifi- 
cation of the entire lower-level system. The following theorem shows that 
we need only prove that Ei is implied by Afc=i the specification of the 
higher-level system — a formula usually much simpler than Afc=i 

rrovmg E, AMI ^ M, and (ALi ^fc) => for each i and deducing 
{Ki=i Mi) =^ (Ar=i Mi) is circular reasoning, and is not sound in general. 
Such reasoning would allow us to deduce (AILi Ml) =^ {f\i=i Mi) for any 
Ml and Mi — simply let Ei equal Mi. To break the circularity, we need to 
add some C's and one hypothesis: if Ei is ever violated then, for at least one 
additional step, M/ implies Mi. This hypothesis is expressed formally as 
\= C{Ei)^y A C(M|) =^ C(Mj), for some u ; the hypothesis is weakest when 
V is taken to be the tuple of all relevant variables. Our proof rule is: 

Theorem 1 (Decomposition Theorem) If, for i = 1, . . . ,n, 

n 

1. h AC{M,) E, 

2. (a) ^C{E,)+,AC{Ml) ^ C{M,) 
(h) ^ E, AMI ^ M, 
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n n 

then ^ /\Ml =^ /\M,. 

8=1 8=1 



This theorem is a corollary of the Composition Theorem of Section 5.2 below. 

In the GCD example, we want to use the theorem to prove A Ml =^ 
Ma AMf,. (The component specifications are described in Section 4.1.) The 
abstract environment specification Ea asserts that b can change only when 
a < b, and that a is not changed by steps that change b. Thus, 

Ea = n[{a<b) A {a' = a)]b 

The definition of Ef, is analogous. We let v be (a, b). 

In general, the environment and component specifications can have inter- 
nal variables. The theorem also allows them to contain fairness conditions. 
However, hypothesis 1 asserts that the Ei are implied by safety properties. 
In practice, this means that the theorem can be applied only when the Ei are 
safety properties. Examples indicate that, in general, compositional reason- 
ing is possible only when the environment conditions are safety properties. 

4.3.2 Verifying the Hypotheses 

We now discuss how one verifies the hypotheses of the Decomposition The- 
orem, illustrating the method with the GCD example. 

To prove the first hypothesis, one first uses Propositions 1 and 2 to 
eliminate the closure operators and existential quantifiers, reducing the hy- 
pothesis to a condition of the form 

n 

^ /\{IniUAn[Ar,],,) ^ E, (10) 

8 = 1 

For interleaving representations, we can then use Proposition 6 to write 
/\"_^ (/ni^j- A □[A^ijtjJ in canonical form. For noninterleaving representations, 
we apply (9). In either case, the proof of (10) is an implementation proof of 
the kind discussed in Section 3.2. 

For the GCD example, the first hypothesis asserts that C{Ma) AC{Mb) 
implies Ea and Ef,. This differs from the third hypothesis of (1) in Section 2.1 
because of the C's. To verify the hypothesis, we can apply Proposition 1 to 
show that C{Ma) and C{Mi,) are obtained by simply deleting the fairness 
conditions from Ma and Mf,. Since Mb implies (a < 5) A (a' = a), it is 
easy to see that C{Mi,) implies Ea- It is equally easy to see that C{Ma) 
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implies Ef,. (In more complicated examples, Ei will not follow from C{Mj) 
for any single j.) 

To prove part (a) of the second hypothesis, we first eliminate the +. 
For noninterleaving representations, this must be done with Proposition 3, 
as described in Section 3.5.1. For interleaving representations, we can ap- 
ply Propositions 4 and 5, as described in Section 3.5.4. In either case, we 
can prove the resulting formula by first using Proposition 2 to eliminate 
quantifiers, using Proposition 1 to compute closures, and then performing a 
standard implementation proof with a refinement mapping. 

Part (b) of the hypothesis also calls for a standard implementation proof, 
for which we use the same refinement mapping as in the proof of (a). Since 
Ei implies C{Ei)^y and M- implies C(M|), we can infer from part (a) that 
Ei A M- implies C{Mi). Thus proving part (b) requires verifying only the 
liveness part of Mi. 

For the GCD example, we verify the two parts of the second hypothesis 
by proving C{Ea)+{a,b) A C(M^) => C(M„) and Ea A ^ Ma] the proofs 
of the corresponding conditions for Mf, are similar. We first observe that 
the initial condition of Ea is true, and that, since -A^^ is an interleaving 
representation, its next-state action Af^ implies that no step changes both 
a and b, so C(M^) implies Disjoint(a, b). Hence, applying Propositions 4 
and 5, we reduce our task to proving C{Ea) A C(M^) =^ C{Ma) and Ea A 

=^ Ma- Applying Proposition 2 to remove the quantifier from C(M^) and 
Proposition 1 to remove the C's, we reduce proving C{Ea) AC{Ma) =^ C{Ma) 
to proving 

Ea A Init'a A □[A/'i](a, a^,pca} Inita A n[Ma]a (H) 

Using simple logic and (11), we reduce proving Ea A =^ Ma to proving 

Ea A Imt'a AO[Mi](^^^a^,pca) /\'^F(^a,a^,pca){K) WF„(A/;) (12) 

We can use Proposition 6 to rewrite the left-hand sides of (11) and (12) in 
canonical form. The resulting conditions are in the usual form for a TLA 
implementation proof. 

In summary, by applying our propositions in a standard sequence, we 
can use the Decomposition Theorem to reduce decompositional reasoning 
to ordinary TLA reasoning. This reduction may seem complicated for so 
trivial an example as the GCD program, but it will be an insignificant part 
of the proof for any realistic example. 
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4.3.3 The General Theorem 

We sometimes need to prove the correctness of systems defined inductively. 
At induction stage A^+f , the low- and high-level specifications are defined as 
the conjunctions of k copies of low- and high-level specifications of stage N, 
respectively. For example, a 2^"'"^-bit multiplier is sometimes implemented 
by combining four 2^-bit multipliers. We want to prove by induction on 
N that the stage N low-level specification implements the stage N high- 
level specification. For such a proof, we need a more general decomposition 
theorem whose conclusion at stage N can be used in proving the hypotheses 
at state A-|-l. The appropriate theorem is: 

Theorem 2 (General Decomposition Theorem) If, for i = 1, . . . , n, 

n 

1. ^C{E)A /\C{M,) E, 

2. (a) ^C{E,)+,/\C{M^) C{Mi) 
(h) ^ E, AMI ^ M, 

3. V is a tuple of variables including all the free variables of Mi. 

n n 

then (a) ^C(£')+^A /\C{M^^ =^ /\C{Mj), and 

n n 

(h) ^EA /\Ml ^ /\M,. 

Conclusion (b) of this theorem has the same form as hypothesis 2(b), with 
M| and Mi replaced with conjunctions. To make the corresponding hy- 
pothesis 2(a) follow from conclusion (a), it suffices to prove /\j_^C(Mj) =?- 
C(Aj=i Mj), since C(A"=i Mj) ^ Aj=i C(Mj) is always true. 

The General Decomposition Theorem has been applied to the verification 
of an inductively-defined multiplier circuit [11]. 

It can be shown that both versions of our decomposition theorem provide 
complete rules for verifying that one composition implies another. However, 
this result is of no significance. Decomposition can simplify a proof only 
if the proof can be decomposed, in the sense that each M| implements the 
corresponding Mi under a simple environment assumption Ei. Our theorems 
are designed to handle those proofs that can be decomposed. 
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5 Composing Assumption/Guarantee 
Specifications 



5.1 The Form of an Assumption/Guarantee Specification 

An assumption/guarantee specification asserts tliat a system guarantees M 
under tlie assumption that its environment satisfies E. As we saw in Sec- 
tion 2.2, this specification is expressed by the formula E % M, which means 
that, for any ra, if the environment satisfies E through "time" ra, then the 
system must satisfy M through "time" ra+l. 

Perhaps the most obvious form for an assumption/guarantee specifica- 
tion \s E =?- M. The formula =^ M is weaker than E % M, since it 
allows behaviors in which M is violated before E. However, an implementa- 
tion could exploit this extra freedom only by predicting in advance that the 
environment will violate E. A system does not control its environment, so 
it cannot predict what the environment will do. The specifications E M 
and E ^ M therefore allow the same implementations. We take E ^ M to 
be the form of assumption/guarantee specifications because this form leads 
to the simpler rules for composition. 

As suggested by the discussion in Section 2.2, composition works well 
only when environment assumptions are safety properties. Because E ^ M 
is equivalent to C{E) % {C{M) A (i? =^ we can in principle convert 

any assumption/guarantee specification to one whose assumption is a safety 
property. (A similar observation appears as Theorem 1 of [3].) However, this 
equivalence is of intellectual interest only. In practice, we write the environ- 
ment assumption as a safety property and the system's fairness guarantee 
as the conjunction of properties El =^ WFy{A) and El =^ SF^,(yl), where 
El is an environment fairness assumption. We can apply Proposition 1 to 
show that the resulting specification is machine closed because, if {P, L) 
is machine closed and L implies i?, then (P, R) is also machine closed [2, 
Proposition 3]. 

5.2 The Composition Theorem 

Suppose we are given n devices, each with an assumption/guarantee specifi- 
cation Ej ^ Mj . To verify that the composition of these devices implements 
a higher-level assumption/guarantee specification E % M, we must prove 
ALi(£'j ^ Mj) ^ {E ^ M). We use the following theorem: 
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Theorem 3 (Composition Theorem) If, for i = 1, . . 

n 

1. ^C{E)A /\C{M,) E, 

n 

2. (a) ^C(^)+,A /\C{M,) C{M) 

3 = 1 

n 

(b) ^Ea/\Mj =^ M 

n 

then ^ /\ {Ej % Mj) ^ {E ^ M). 

3 = 1 

This theorem also allows us to prove conditional implementation results of 
the form G A Aj=i(£'j ^ ^j) ^ (£' ^ M); we just let Mi equal G and 
i?! equal true, since true ^ G equals G. For interleaving specifications, 
we can in general prove only conditional implementation, where G includes 
disjointness conditions asserting that the outputs of different components 
do not change simultaneously. 

The hypotheses of the Composition Theorem are similar to those of the 
Decomposition Theorem, and they are proved in much the same way. The 
major difference is that, for interleaving specifications, the orthogonality 
condition C{E) ± C{M) does not follow from the form of the component 
specifications, but requires explicit disjointness assumptions. 

Observe that the hypotheses have the form \= P /\ Aj=i Qj =^ R- Each 
formula P A Aj=i Qj has the form of the specification of a complete system, 
with component specifications P, Qi, . . . , Qn- Thus, each hypothesis asserts 
that a complete system satisfies a property R. In other words, the theorem 
reduces reasoning about assumption/guarantee specifications to the kind of 
reasoning used for complete-system specifications. 

Among the corollaries of the Composition Theorem are ones that allow 
us to prove that a lower-level specification implies a higher-level one. The 
simplest such result has, as its conclusion, \= (^E ^ M') =^ (i? % M). This 
condition expresses the correctness of the refinement of a component with a 
fixed environment assumption. 

Corollary 1 If E is a safety property and 

(a) ^ E+yAC{M') ^C{M) 
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(b) \= EAM' ^ M 
then 1= {E % M') ^ {E ±pM). 

5.3 The Queue Example 

The assumption/guarantee specification of tlie queue of Figure 2 is QE % 
QM , where QM and QE are defined in (7) and (8) of Section 4.1. We now 
compose two queues, as shown in Figure 7. The specifications of these queues 
are obtained from QE % QM by substitution; they are QE^^'^ % QM^^^ and 
g£'[2] % gM[2]. We want to sh ow that their composition implements the 
(27V+l)-element queue specified by QE't'*"] % QME'*"]. The obvious thing 
to try to prove is 

(g^[i] ±i> gMti]) A (g^[2] +^ g^^^ ^ (g^idw] +^ gM[<*"]) (13) 

We could prove this had we used a noninterleaving representation of the 
queue. However, (13) is not valid for an interleaving representation, for 
the following reason. The specification of the first queue does not men- 
tion o, and that of the second queue does not mention i. The conjunction 
of the two specifications allows an enqueue action of the first queue and a 
dequeue action of the second queue to happen simultaneously, a step that 
changes i.ack and o.snd simultaneously. But, in an interleaving representa- 
tion, the (2A^-|-l)-element queue's guarantee does not allow such a step, so 
(13) must be invalid. Another problem with (13) is that the conjunction of 
the component queues' specifications allows a step that changes z.snd and 
o.ack simultaneously. Such a step satisfies the (2A^-|-l)-element queue's en- 
vironment assumption QE^'^^^\ which does not mention so (13) asserts 
that the next step must satisfy its guarantee QM^'^^^\ However, a step 
that changes both z.snd and o.ack violates the second component queue's 
environment assumption QE^'^\ permitting the component queue to make 
arbitrary changes to o.snd in the next step. A similar problem is caused by 
simultaneous changes to i.snd and z.ack. 

We already faced the problem of disallowing simultaneous changes to 
different components' outputs in Section 4.2, where we decomposed an in- 
terleaving specification of a (2A^-|- l)-element queue. There, the solution 
was to strengthen the next-state actions of the component queues and of 
the environment. This solution cannot be used if we want to compose pre- 
existing specifications without modifying them. In this case, we prove that 
the composition implements the larger queue under the assumption that the 
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outputs of two different components do not change simultaneously. Thus, 
we prove 

where G is the formula 

G = Disjoint{{i.snd, o.ack), {z.snd, i.ack), {o.snd, z.ack)) 
The proof is outlined in Figure 10. 

6 Conclusion 

We have developed a method for describing components of concurrent sys- 
tems as TLA formulas. We have shown how to describe a complete system 
as the conjunction of component specifications, and how to describe an open 
system as a formula E ^ M, where E and M are specifications of an en- 
vironment component and a system component, respectively. Although the 
idea of reducing programming concepts to logic is old, our approach is new. 
Our style of writing specifications is direct and, we believe, practical. 

We have also provided rules for proving properties of large systems by 
reasoning about their components. The Composition and Decomposition 
Theorems are rather simple, yet they allow fairness properties and hiding. 
They were preceded by results in a long list of publications, described next. 

Like ours, most previous composition theorems were strong, in the sense 
that they could handle circularities for safety properties. Our approach dif- 
fers from earlier ones in its general treatment of fairness and hiding. The 
first strong composition theorem we know is that of Misra and Chandy [16], 
who considered safety properties of processes communicating by means of 
CSP primitives. They wrote assumption/guarantee specifications as Hoare 
triples containing assertions about history variables. Pandya and Joseph [17] 
extended this approach to handle some liveness properties. Pnueli [19] was 
the first to use temporal logic to write assumption/guarantee specifications. 
He had a strong composition theorem for safety properties with no hiding. 
To handle liveness, he wrote assumption/guarantee specifications with im- 
plication instead of so he did not obtain a strong composition theorem. 
Stark [20] also wrote assumption/guarantee specifications as implications 
of temporal formulas and required that circularity be avoided. Our earlier 
work [3] was semantic, in a more complicated model with agents. It lacked 
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1. c(g^['*"]) AC(G') AC(gMW) AC(gM[2]) ^ g^^Ag^t^i 

Proof: We use Propositions 2 and 1 to remove the quantifiers and clo- 
sure operators from the left-hand side of the implication. The resulting 
formula then asserts that a complete system, consisting of the safety parts 
of the two queues (with their internal state visible) together with the en- 
vironment, implements QE^^'^ and QE^'^\ The proof of this formula is 
straightforward . 

2. c(g^['*"])+(,- o,^) AC(gMW) AC(G') AC(gM[2]) ^ c(gM[<*"]) 

2.1. c(G') AC(gMW) AC(gM[2]) ^ c(g^['*"]) ±c(gM[<*"]) 

2.1.1. C(/gMW) AC(/gM[2]) ^ q2 : Init^^ Mnit^^ 
Proof: Follows easily from Proposition 1 and the definitions. 

2.1.2. C(gMW) AC(gM[2]) ^ : Init^^ Mnit^^ 

Proof: 2.1.1 and Proposition 2 (since any predicate is a safety prop- 
erty). 

2.1.3. Q.E.D. 

Proof: 2.1.2, the definition of G, and Proposition 5 (since disjoint- 
ness is a safety property) . 

2.2. c(g^['*"]) AC(G') AC(gMW) AC(gM[2]) ^ c(gM[<*"]) 

Proof: We use Propositions 2 and 1 to remove the quantifiers and 
closures from the formula. The resulting formula is proved when proving 
the safety part of step 3. 

2.3. Q.E.D. 

Proof: 2.1, 2.2, and Proposition 4. 

3. g^t'*"] A G A gM[i] A gM[2] ^ gM[<*"] 

Proof: A direct calculation shows that the left-hand side of the implica- 
tion implies CDQ, the complete-system specification of the double queue. 
We already observed in Section 3.2 that CDQ implements Cg^'^'^'^, which 
equals QE^'^^^^ A QM^'^^^\ 

4. Q.E.D. 

Proof: 1-3 and the Composition Theorem, substituting 

Mi^G M2 ^ gM[i] M3 ^ gM[2] M ^ gM 

El ^ true E2 ^ g^[^] E3 ^ QE^^^ E ^ QE^'^^^'^ 
Figure 10: Proof sketch of (14). 
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practical proof rules for handling fairness and hiding. Collette [8] adapted 
this work to Unity. Abadi and Plotkin [4] used a propositional logic with 
agents, and considered only safety properties. 

Most previous papers were concerned only with composition of assump- 
tion/guarantee specifications, and lacked an analog of our Decomposition 
Theorem. An exception is the work of Berthet and Cerny [7], who used 
decomposition in proving safety properties for finite-state automata. 

So far, we have applied our Composition Theorem only to toy examples. 
Formal reasoning about systems is still rare, and it generally occurs on a 
case-by-case basis. When the specification of a component is used only to 
verify a specific system, there is no need for a general assumption/guarantee 
specification. For most practical applications, decomposition suffices. When 
decomposition does not suffice, the Composition Theorem makes reasoning 
about open systems almost as easy as reasoning about complete ones. 

We have used our Decomposition Theorem with no difficulty on a few 
toy examples. However, we believe that its biggest payoff will be for sys- 
tems that are too complex to verify easily by hand. The theorem makes 
it possible for decision procedures to do most of the work in verifying a 
system, even when these procedures cannot be applied to the whole system 
because its state space is very large or unbounded. This approach is cur- 
rently being pursued in one substantial example: the mechanical verification 
of a multiplier circuit using a combination of TLA reasoning and mechanical 
verification with COSPAN [11]. Because it eliminates reasoning about the 
complete low-level system, the Decomposition Theorem is the key to this 
division of labor. 
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A Appendix 



We now prove our propositions and theorems. Section A.l introduces some 
definitions and notation required for the proofs, and explains our structured 
proof notation. The proofs are in Section A. 2. 

A.l Definitions 

A. 1.1 Additional Semantic Notions 

As before, o denotes concatenation of sequences, and angle brackets ( ) are 
used to form sequences. We write (t|„ for the finite behavior consisting of 
the first n states of a behavior a. In particular, a\o is the empty sequence 
( ), which satisfies every formula. We write (T„ for the rath state of behavior 
(7, so a equals (cti, (T2, . . .). When a is finite, we write last{a) for its last 
state, and \a\ for its length. 

We let [e] denote the meaning of an expression e. When e is a state 
function, [e] is a mapping from states to values; in the special case when e 
is a state predicate, [e] is a mapping from states to truth values. When e 
is an action, [e] is a mapping from pairs of states to truth values. When 
e is a temporal formula, [e] is a mapping from behaviors to truth values. 
We extended this mapping to finite behaviors by letting [e](/>) = true iff 
[e]((T) = true for some a that extends p. In all cases, we let m ^ e mean 
[e](M) = true. If F is a temporal formula and a a behavior, then 

a ^ e{F) iff a\n h F for all ra. Hence, [C(F)](/>) = [F](/>) for any finite 
behavior p. 

If s and t are states and a; is a tuple of variables, we write s =x t when 
s and t are identical except possibly for the value they assign to the tuple 
X. In other words, s =x t iff = for every variable y not in the 

tuple X. We extend this notion to behaviors, and write a =x t iff (T„ =x Tn 
for all ra > 0. 

The stutter-free version of a behavior is the behavior obtained by re- 
moving from it all finite repetitions of states; thus, the stutter-free ver- 
sion of (7 o (s, s) o T equals the stutter-free version of ci o (s) o r. Two 
behaviors are stuttering equivalent iff they have the same stutter-free ver- 
sion. Every TLA formula F is invariant under stuttering, in the sense that 
[F]((t) = [F](r) for any two stuttering-equivalent behaviors a and r. More 
generally, [F]((t) = [F](r) if there is a behavior f stuttering equivalent to 
a such that = [?/](t„) for all ra > 0 and all variables y occurring free 

in F. 
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We write a ~^ r when a =x t for some a and f stuttering equivalent 
to a and r, respectively. If F is a TLA formula and a a behavior, we 
let [3a; : F^{a) = true iff there exists a behavior r such that a ~^ r 
and [-F](t) = true. Equivalently, since F is invariant under stuttering, 
[3 X : -F]((t) = true iff there exist behaviors a and f such that a is stuttering 
equivalent to ci, (T f, and = true. 

An operator H on formulas is super-diagonal \^ \= A =?- H{A) for all 
A in its domain. For example, C is superdiagonal. As usual, an operator 
H is monotonic [S \= A B implies \= H{A) =^ H{B) for all A and _B. 
Antimonotonicity is defined similarly, with the second implication reversed. 

A. 1.2 Proof Notation 

Reliable reasoning about specifications depends on the correctness of the 
underlying logical proofs. Even a minor error, such as the omission of a 
hypothesis in a proposition, could allow one to "prove" the correctness of 
an incorrect implementation. To avoid such errors, we provide detailed, 
hierarchically structured proofs. 

In our proof notation, the theorem to be proved is statement (0)1. The 
proof of statement is either an ordinary paragraph-style proof or the 
sequence of statements {i + 1)1, {i + 1)2, . . . and their proofs. (The absence 
of a proof means that the statement follows easily from definitions, previous 
statements, and assumptions.) Within a proof, {k)l denotes the most recent 
statement with that number. A statement has the form 

Assume: Assump Prove: Goal 
which is abbreviated to Goal if there is no assumption. The assertion Q.E.D. 
in statement number {i + l)k of the proof of statement denotes the goal 
of statement The statement 

Case: Assump 
is an abbreviation for 

Assume: Assump Prove: Q.E.D. 
Within the proof of statement assumption (i) denotes that statement's 
assumption, and {i):k denotes the assumption's k^^ item. 

We recommend that proofs be read hierarchically, from the top level 
down. To read the proof of a long level-A; step: (i) read the level- (A; + 1) state- 
ments that comprise its proof, together with the proof of the final Q.E.D. 
step (which is usually a short paragraph), and (ii) read the proof of each 
level-(A;-|-l) step, in any desired order. 
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A. 2 Proofs 

Results are organized in groups that roughly correspond to their subject 
and to the position of the corresponding discussion in the text. 

Our proofs employ many lemmas. We omit the proofs of some of the 
simpler ones. We also omit the proof of Proposition 1, which is given in [2]. 

A. 2.1 Properties of -t> and % 

The proofs of most of these properties are straightforward and are omitted. 
Some of the basic arguments about -l> can be found in [4]. 

Lemma 1 If P, Q, and R are safety properties, then 

1. P -t> Q and P ^ Q are safety properties. 

2. ^ P ^ {Q -0 R) if and only if\=PAQ^R. 

Lemma 2 For any properties P and Q, 

1. ^ (P ^ Q) = ^ C{Q)) A{P^Q) 

2. ^{P±i>Q) = {C{P) % C{Q)) A{P^Q) 

Lemma 3 For any properties P and Q, 

1. ^PA{P^Q)^Q 

2. ^PA{P±i>Q)^Q 

Lemma 4 If P and Q are safety properties, then 

^{p^Q)A{Q^p) {{p V g) ^ (P A Q)) 

Lemma 5 If Pi and Qi are safety properties, for i = 1, . . . ,n, then 
^/\{P.±>Qi) => ((/\p,)%(AQ»)) 

i=l i=l i=l 

Lemma 6 If P is a safety property and Q is any property, then 
^{P±PQ) = {{Q^P)^Q) 

Lemma 7 

Assume; 1. P, Q, and R are safety properties. 

2. \=Q AR^ P 
Prove; ^ {P ±i> Q) ^ {R ±i> Q) 

(1)1. ^{Q^R)^{Q^P) 



37 



(2)1. ^QA{Q^R)^R 

Proof: Lemma 3(1). D 
(2)2. A{Q ^ R) ^ {Q AR) 

Proof: (2)1 and prepositional logic. D 
(2)3. ^QA{Q^R)^P 

Proof: (2)2 and assumption (0):2. D 
(2)4. Q.E.D. 

Proof: (2)3, assumption (0):1, and Lemma 1(2). D 
(1)2. ^{P±i>Q)A{Q^P)^Q 

Proof: Assumption (0):1, Lemma 6, and Lemma 3(1). D 
(1)3. ^{P±i>Q)A{Q^R)^Q 

Proof: (1)2 and (1)1. □ 
(1)4. ^{P±i>Q)^ {{Q -^R) ^Q) 

Proof: (1)3, assumption (0):1, and Lemma 1. D 
(1)5. Q.E.D. 

Proof: (1)4, assumption (0):1, and Lemma 6. D 

A. 2. 2 Closure and Existential Quantification 

These results are useful for reasoning about the closure of a quantified for- 
mula. This reasoning can be difficult because C and 3 do not commute. 

Lemma 8 For any property M and tuple of variables x, 

^C{3x ■.C{M)) = C{3x -.M) 

(1)1. ^C{3x:M)^ C{3x : C{M)) 

Proof: C is superdiagonal and both C and 3x are monotonic. D 
(1)2. ^e{3x:e{M))^e{3x:M) 
(2)1. ^ M ^ 3a; : M 

Proof: 3 is superdiagonal. D 
(2)2. ^C{M)^C{3x ■ M) 

Proof: (2)1 and the monotonicity of C. D 
(2)3. ^ (3a; : C{M)) => C{3x : M) 

Proof: (2)2, since x does not occur free in C(3a; : M). 
(2)4. Q.E.D. 

Proof:(2)3 and the monotonicity and idempotence of C. D 
(1)3. Q.E.D. 
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Lemma 9 

Assume; Xi is a tuple of variables, and no variable in Xi occurs free in Mj, 

for all i, j G {1, . . . ,n} with i j ■ 
Prove; ^ A. C(3 a;, : M,) ^ C(3 . . . , : A. C(M,)) 

The proof is by induction on ra, setting apart the cases for n = 1 and n = 2. 
(1)1. Case: n = 1 

Proof: Immediate from Lemma 8. D 
(1)2. Case: n=2 

Let: A = C{3xi, X2 : C{Mi) AC{M2)) 
(2)1. ^C(Mi) AC(M2) => A 

Proof: Predicate logic, since C is superdiagonal. D 
(2)2. ^C(Mi) => (C(M2) -^A) 

Proof: (2)1 and Lemma 1(2). D 
(2)3. h Ml ^ (C(M2) -> A) 

Proof: (2)2, since C is superdiagonal. D 
(2)4. ^{3xi: Ml) => (C(M2) -> A) 

Proof: (2)3 and the hypothesis that no variable of xi occurs free in 

M2. □ 

(2)5. ^ C{3xi : Ml) => (C(M2) -t> A) 

Proof: (2)4 and the monotonicity and idempotence of C, since A is 

closed by definition and C(M2) -l> A is closed by Lemma 1(1). D 
(2)6. ^ C(M2) ^ {C{3xi : Mi) -> A) 

Proof: (2)5 and two applications of Lemma 1(2) 
(2)7. ^ M2 ^ {C{3xi : Ml) -> A) 

Proof: (2)6, since C is superdiagonal. 
(2)8. ^{3x2-. M2) ^ {e{3xi : Mi) -> A) 

Proof: (2)7 and predicate logic. D 
(2)9. ^ C{3x2 : M2) {C{3xi : Mi) -t> A) 

Proof: (2)8, Lemma 1(1), and the monotonicity and idempotence of 

C. □ 
(2)10. Q.E.D. 

Proof: (2)9 and Lemma 1(2). 
(1)3. Case: ra > 2 
Assume: ^ AL7 ^(3 x, : M,) ^C{3xr... x^_r : AL7 C(M,)) 
Prove: ^ Kl=iC{3x, : M,) ^ C{3xr . . .x^ : Kl=^C{M,)) 

Proof: f\1^^C{3x, : M,) 

^ e{3xr...x^_r : AL7 C(M,)) A C(3 : M„) 
by assumption (1) 
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= C{3xi...xn_i :C(Ar=7C(M,)))AC(3a;„ :M„) 

a conjunction of safety properties is a safety property 

^ C{3xi . . .x^ : C{/^-,' C{M,)) AC{M^)) 
by (1)2 

= C(3a;i...a;„ : Ar=iC(M,)) 

a conjunction of safety properties is a safety property 

(1)4. Q.E.D. 
Proposition 2 

Assume; 1. Sj- is a tuple of variables, and no variable in Xi occurs free in 
M or Mj, for all i, j G {1, . . . , ra} with i ^ j 
2. ^A?=iC(M,)^3a;:C(M) 
Prove; ^ /\^^^C{3xr. M,) ^ C{3x : M) 

Proof: AILi C(3 a;, : M,) 

=> C{3xi...xn: A^^,C{Mi)) 

by Lemma 9 and assumption (0):1 
=> C{3xi ...Xn:3x: C{M)) 

by assumption (0):2 and the monotonicity of 3 and C 
= C{3x :C(M)) 

by assumption (0):1 
= C{3x: M) 

by Lemma 8. D 

A. 2. 3 Properties of + 

Lemma 10 For any state function f, if P is a safety property, then P^f is 
a safety property. 

Proof: By the definition of safety properties, it suffices to: 
Assume: 1. P a safety property. 

2. Vra : a\n \= P+f 
Prove: a \= P+f 
(1)1. Case: Vra : a\n ^ P 

Proof: Assumption (0):1. D 
(1)2. Case: 3ra : -n{a\n \= P) 

(2)1. Choose the largest m such that a\m \= P- 

Proof: m exists since a\o ^ P is true for any a and P. D 
(2)2. Vra>m:[/]K) = [/]K+i) 

Proof: (2)1, assumption (0):2, and the definition of P+j. D 
(2)3. Q.E.D. 



40 



Proof: (2)1, (2)2, and the definition of □ 
(1)3. Q.E.D. 

Lemma 11 

Assume; 1. P and Q are safety properties. 

2. the tuple x includes all the free variables of Q. 
Prove; ^ ^ Q) = (P % Q) 

(1)1. [= (P+x^Q) => {P^Q) 

By assumption (0):1, Lemma 1(1), and the definition of it suffices to: 
Assume: 1. For all ra, cr|„ \= {P^^ -> Q) 

2. (tU_i ^P 
Prove: cr|„ \= Q 

(2)1. N P+r, 

Proof: By assumption (1):2 and the definition of Pj^x- D 
(2)2. Q.E.D. 

Proof: (2)1 and assumption (1):1. D 
(1)2. ^{P±^Q) {P+x -> Q) 

By assumption (0):1, Lemmas 10 and 1(1), and the definition of -l>, it 
suffices to: 

Assume: 1. For all n, cr|„ \= [P ^ Q) 

2. (T\n \= P^x 

Prove: cr|„ \= Q 

(2)1. Choose m < n such that 

1. 

2.\fp : m < p < n ^ lx}{ap) = lx}{a.ra+i) 
Proof: Assumption (1):2. D 

(2)2. a\.ra+l \= Q 

Proof: (2)1.1 and assumption (1):1. D 
(2)3. Q.E.D. 

Proof: (2)2, (2)1.2, and assumption (0):2, since Q is invariant under 
stuttering. D 
(1)3. Q.E.D. 

Lemma 12 

Assume; 1. P, Q, and R are safety properties. 

2.^R+fAP^Q 
Prove; ^ {R ±p P) ^ {R ±p Q) 

(1)1. ^R^R+f 
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By assumption (0):1 and Lemmas 10 and 1, it suffices to: 

Assume: cr|„ \= R 

Prove: a\n+i \= R+f 

(2)1. a\n+i o (cr„+i, a-a+i, ■ ■ ■) \= R+f 

Proof: The definition of D 
(2)2. Q.E.D. 
(1)2. Q.E.D. 
Proof: {R ±i> P) =^ {R ±i> P) A {R ±i> R+j) 

by (1)1 
{R±P{PAR+f)) 

by assumption (0):1 and Lemmas 5 and 10 

^ (R^Q) 

by assumption (0):2 and monotonicity of % in 
its second argument. D 

Lemma 13 

Assume; No variable of the tuple x occurs free in v. 
Prove; ^ (3a; : = (3a; : 

(1)1. ^ (3a; : ^ (3a; : 
Assume: a \= (3a; : Pj^y) 
Prove: a \= (3a; : P)+v 

(2)1. Choose a such that a ~^ a and a \= P+y. 

Proof: Assumption (1) and the definition of 3. D 
(2)2. Case: P 
(3)1. a^{3x: P) 

Proof: (2)1 and case assumption (2). D 
(3)2. Q.E.D. 

Proof: (3)1 and the definition of (. . .)+y. D 
(2)3. Case: There exists p and f such that a = p o 9, p \= P, and 
f ^ □ [false]^,. 

(3)1. Choose p and r such that a = p o t, p ~^ p, and r ~^ f. 

Proof: (2)1 and case assumption (2). D 
(3)2. p^3x -.P 

Proof: (3)1 (which asserts p ~^ p) and case assumption (2) (which 
asserts p \= P). D 
(3)3. T\=n [false]^ 

Proof: (3)1 (which asserts r ~^ f), case assumption (2) (which 
asserts f ^ □ [false]^,), and assumption (0). D 
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(3)4. Q.E.D. 

Proof: (3)1 (which asserts a = p o t), (3)2, (3)3, and the definition 
of (...)+.. □ 
(2)4. Q.E.D. 

Proof: (2)1, (2)2, (2)3, and the definition of (. . .)+^. □ 
(1)2. ^ {3x : ^ {3x : 
Assume: a \= {3x : P)+v 
Prove: a \= {3x : P+y) 
(2)1. Case: a ^ {3x : P) 

Proof: Immediate, since \= P P_^y and 3 is monotonic. D 
(2)2. Case: There exist p and r such that a = p o t, p \= 3x : P, and 
T \= a [false]^,. 
(3)1. Choose /J such that p —x p and p\= P. 

Proof: Case assumption (2) and the definition of 3. D 
(3)2. poT^P+y 

Proof: (3)1, case assumption (2) (which asserts r ^ □ [false]^,), and 
the definition of (. . ■)+v D 
(3)3. Q.E.D. 

Proof: (3)1, (3)2, and case assumption (2), which imply por ~^ a. D 
(2)3. Q.E.D. 

Proof: (2)1, (2)2, and the definition of (. . .)+y. D 
(1)3. Q.E.D. 

Lemma 14 If s is a variable that does not occur in Init, M , w, or v, and 

hut = {Init A (s = 0)) V {^Init A (s = 1)) 

M = V (s = 0) A V (s' = 0) A (A/" V (w' = w)) 
V (s' = 1) A ^(A/" V {w' = w)) 
V (s = 1) A (s' = 1) A {v' = v) 

then \= {Init A □[A']u,)+t, = 3s : Init A □[A](u,^^,^s). 

(1)1. ^ {InitAn[ArU)+v =^ 3s : Mit A n[M]^^^y^,) 
Assume: a \= {Init A □[A']u,)+t, 
Prove: ^ 3s : Init A o[M](^yj,v,s} 

Let: a be the behavior such that a =g a and, for all ra > 0: 

[s](ct„) = if a\n ^ {Init A^[^f]y,) then 0 else 1 

(2)1. d ^ MtJ\ □[A](^,,,,) 
(3)1. a\= Imt 
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Proof: The definitions of a and Inii^ assumption (1), and the hy- 
pothesis that s does not occur in Inii. 
(3)2. d ^ 

(4)1. Case: a^IniiKU\M\^ 

(5)1. d ^ U{{s = 0) A [s' = 0) A (A^ V K = ^«))](^,,,,) 

Proof: The definition of ct, case assumption (4), and the hy- 
pothesis that s does not occur in M oi w. D 
(5)2. Q.E.D. _ 
Proof: (5)1 and the definition of N . D 
(4)2. Case: a ^ Init 
(5)1. (7 ^ □ [false]^ 

Proof: Case assumption (5), assumption (1), and the definition 
of (...)+,. □ 
(5)2. ^ □ (s = 1) A □ [false]^. 

Proof: (5)1 and the definition of d. D 
(5)3. Q.E.D. _ 
Proof: (5)2 and the definition of N . D 
(4)3. Case: a \= Inii and a \/= Init A □[A/']^,. 
(5)1. Choose p and r with \p\ > 0 such that 

1. a = p o T, 

2. p\= Init A □[A/'lti, 

3. po{Ti) ^ a[M]^ 

4. T \=n [false]^ 

Proof: Case assumption (4), assumption (1), and the definition 
of (...)+,. □ 

(5)2. Choose p and f such that a = por, p =g p, and f =s t. 

Proof: The definition of a and (5)1.1. 
(5)3. p h n[{s = 0) A {s' = 0) A (A^ V K = ^«))](^,,,,) 

Proof: The definition of a, (5)1.2, (5)2, and the hypothesis that 

s does not occur in A/" or w. D 
(5)4. {last{p), fi) ^ (s = 0) A (s' = 1) A ^A/" A {w' / w) 

Proof: The definition of a, (5)1.3, (5)2, and the hypothesis that 

s does not occur in A/" or w. D 
(5)5. f ^ □ (s = 1) A □ [false]^ 

Proof: The definition of a,, (5)1.4, (5)2, and the hypothesis 

that s does not occur in v. D 
(5)6. Q.E.D. _ 

Proof: (5)2, (5)3, (5)4, and (5)5, and the definition o^^f. □ 
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(4)4. Q.E.D. 

Proof: (4)1, (4)2, (4)3, assumption (1), and the definition of 

(...)+.•□ 
(3)3. Q.E.D. 

(2)2. Q.E.D. 

Proof: The definition of ct, (2)1, and the definition of 3. 
(1)2. ^ 3s : Mit An[M]^^^y^,) =^ {InitAn[ArU)+v 
Assume: a \=3s : Init A o[M](^iu,v,s} 
Prove: a \= {Init A □[A/']u,)+t, 

(2)1. Choose a such that ~s ci and a \= Init A ^[A/'j^u,^^,^^^. 

Proof: Assumption (1) and the definition of 3. D 
(2)2. d \= {Init Aa[Af]^)^^ 
(3)1. Case: ^ □ (s = 0) 

(4)1. ^ {Init A a[^f\^) ^ 
Proof: (2)1, case assumption (3), and the definitions of Init and 
Af. □ 
(4)2. Q.E.D. 

Proof: (4)1, since the operator (. . .)_|_^, is superdiagonal. D 
(3)2. Case: d \= o {s = 1) 

(4)1. ^ □ [false]^ ^ 

Proof: (2)1, the definition of A", and case assumption (3). D 
(4)2. Q.E.D. 

Proof: (4)1 and the definition of (. . .)+y. D 
(3)3. Case: ^ □ (s = 0) and ^ □ (s = 1) 
(4)1. Choose p and f with \f)\ > 0 such that 

1. a = p o T 

2. p^a{s = 0) 

3. f^n(s=l), _ 
Proof: Case assumption (3), (2)1, and the definitions of Init and 

aT. □ 

{4)2. p^ {Init Aa[M]uj) _ _ 

Proof: (2)1, (4)1.2, and the definitions of Init and A". D 

(4)3. f ^ □ [false]^ _ 
Proof: (2)1, (4)1.3, and the definition of AT. □ 

(4)4. Q.E.D. 

Proof: (4)1.1, (4)2, (4)3, (3), and the definition of (. . .)+^. □ 
(3)4. Q.E.D. 
(2)3. Q.E.D. 
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Proof: (2)1, (2)2, and the hypothesis that s does not occur in Init, 
J\f , w, or V. D 
(1)3. Q.E.D. 

Proposition 3 If x is a tuple of variables none of which occurs in v, and 
s is a variable that does not occur in Init, M , w, v, or x, and 

Mt = {Init A (s = 0)) V {^Init A (s = 1)) 

M = V (s = 0) A V (s' = 0) A (A/" V (w' = w)) 
V (s' = 1) A -^{AfV {w' = w)) 
V (s = 1) A (s' = 1) A {v' = v) 

then \= (3 X : Init A 0[J\r\^^) = 3 x, s : Init A 0[J\r\(^^^^^ 
Proof: Follows immediately from Lemmas 13 and 14. D 

A. 2. 4 Properties of ± 
Lemma 15 

1. For any properties P and Q, \= P _L Q = C{P) _L C{Q). 

2. If P and Q are safety properties, then \= P _L Q = [P AQ) % (PVQ). 

Lemma 16 For any properties P and Q, 

^ (p%g) = (p^g) A(p±g) 

(1)1. Case: P and Q safety properties 

(2)1. ^ (p % g) ^ (p ^ g) A (p ± g) 

(3)1. ^{P±PQ)^{P^Q) 

Proof: Obvious from the definitions of -i> and D 
(3)2. ^{P ±^Q)^ {P LQ) 

Proof: Lemma 15(2), since % is monotonic in its second argument 

and antimonotonic in its first. D 
(3)3. Q.E.D. 

(2)2. ^(p^g)A(p±g) ^ (p%g) 
(3)1. ^ (p ^ g) A (p ± g) A (g ^ p) ^ g 

Proof: 

(p ± g) A (p ^ g) A (g ^ p) 
= (((p V g) ^ (p A g)) ^ (p V g)) a (p ^ g) a (g ^ p) 

case assumption (1), Lemma 15(2), and Lemma 6 

(((p V g) ^ (p A Q)) ^ (p V Q)) A ((p V g) ^ (p A Q)) 

by Lemma 4 
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=> (pvg) A((pvg) -^{PAQ)) 

by Lemma 3(1) 

=> Q 

by Lemma 3(1). D 
(3)2. ^ (P ^ Q) A (P ± g) ^ HQ -^P)^Q) 

Proof: (3)1 and Lemma 1(2). D 
(3)3. Q.E.D. 

Proof: (3)2, case assumption (1), and Lemma 6. D 
(1)2. Q.E.D. 
Proof: = (P ^ Q) A (C(P) % C(Q)) 

by Lemma 2(2) 
= (P ^ Q) A (C(P) -> C{Q)) A (C(P) ± C{Q)) 
by (1)1 

= (p ^ Q) A (c(p) -> c{Q)) A (p ± g) 

by Lemma 15(1) 

= (p^g)A(p±g) 

by Lemma 2(1). D 

Proposition 4 

Assume; 1. P, Q, and R are safety properties. 

2. ^ p Ag ^ p 

3. ^ g ^ P_LR 

4. the tuple x contains all the free variables of R. 
Prove; ^ P+^ a g ^ P 

(1)1. ^g^ (p^p) 

Proof: Assumptions (0):1 and (0):2, and Lemma 1(2). D 

(1)2. ^g^ (p%p) 

Proof: (1)1, assumption (0):3, and Lemma 16. D 

(1)3. ^ g ^ (p+, -> R) 

Proof: (1)2, assumptions (0):1 and (0):4, and Lemma 11. D 
(1)4. Q.E.D. 

Proof: (1)3 and Lemma 1(2). D 

Lemma 17 

Let; E = InitE A □ [ME\(x,e) 

M = InitM A □ [AfM\y,m) 

Prove; \= {{3x : InitE) V (3 y : InitM)) A Disjoint{e, m) =^ 
e{3x : P) ± C(3y : M) 

Proof: By definition of ±, it suffices to prove the following, for all ra > 0: 
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Assume: 1. a \= {{3x : InitE) V (By : InitM)) 

2. a \= Disjoint {e, m) 

3. a\n \= C{3x : E)AC{3y: M) 
Prove: (7|„+i ^ C(3a; : £') VC(3y : M) 
(1)1. Case: ra = 0 

(2)1. Case: ^ (3 a; : InitE) 

(3)1. Choose a state s such that s =x (Ji and s \= InitE- 

Proof: Case assumption (2). D 
(3)2. {s,s,s,...)^E 

Proof: (3)1 and the definition of E. D 
(3)3. {ai, s, s, s, . . .) \= 3x : E 

Proof: (3)1, (3)2, and the definition of 3. □ 
(3)4. a\i \=3x -.E 
Proof: (3)3. □ 
(3)5. Q.E.D. 
(2)2. Case: a \= {3x : InitM) 

Proof: The proof is the same as the proof of (2)1, with M substituted 
for E and y substituted for x. D 
(2)3. Q.E.D. 

Proof: (2)1, (2)2, and assumption (0):1. 
(1)2. Case: ra > 0 

(2)1. ([e]K) = [e]K+i)) V ([m]K) = [m]K+i)) 

Proof: Assumption (0):2. D 
(2)2. Case: [e]((7„) = [e]((T„+i) 
(3)1. Choose p such that: 

1. p ~^ a\n 

2. p^E 

Proof: Assumption (0):3, since r] \= C{P) iff 77 ^ P, for any property 

P and finite behavior i]. D 
Let: t be the state such that t =x cf-n+i and = \_x'\{last{p)) . 

(3)2. po{t)\^E 

Proof: (3)1.2, case assumption (2), and the definitions of t and E. D 
(3)3. a\n+i po (t) 

Proof: (3)1.1 and the definition of t. D 
(3)4. dU+i ^3x:E 

Proof: (3)2 and (3)3. □ 
(3)5. Q.E.D. 

Proof: (3)4. □ 
(2)3. Case: [m]((7„) = [m]((7„+i) 
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Proof: The proof is the same as the proof of (2)2, with m, M, and y 
substituted for e, E, and x, respectively. D 
(2)4. Q.E.D. 

Proof: (2)1, (2)2, and (2)3. □ 
(1)3. Q.E.D. 

Proposition 5 

Assume; 1. \=C{E) = InitE A □ [J^E\{x,e) 

2. ^ C(M) = InitM A □ [MM\y,-m) 
Prove; \= {{3x : InitE) V (3 y : InitM)) A Disjoint{e, m) =^ 
C{3x ■.E)LC{3y: M) 

Proof: Follows from Lemma 17, with C{E) substituted for E and C{M) 
substituted for M, and Lemma 8. D 

A. 2. 5 Composition as Conjunction 

Proposition 6 Let nii, . . . , m„, xi, . . . , Xn be tuples of variables, and let 
m = (mi,...,m„) x = {xi,...,Xn) 

M, = 3xr-Init, A □[A/'«](m,,:c,) A L, 

Assume; For all i,j with i / j: 

1. no variables of Xj occurs free in Xi or Mi. 

2. m includes all free variables of Mi. 

3. ^ =^ {m'j = nij) 
Prove; ^ Kl=iM, = 

3x : Ar=i Init, A □[VILi A/'. A {x[ = A AILi 

Proof: The hypotheses remain true and the conclusion is unchanged if we 
remove from nij any variable that appears in Xj. (Assumption 2 remains 
true because, by assumption 1, the variable removed cannot occur free in 
Mi.) Therefore, without loss of generality, we can strengthen assumption 1 
to: 

Assume: 1(a). The variables in Xj do not occur free in Mi, and are distinct 

from the variables in Xi and nij. 
The proof is by induction on n, with the cases for n = 1 and n = 2 proved 
separately. 
(1)1. Case: n = 1 

Proof: This case follows immediately from the definition of Mi. D 
(1)2. Case: ra = 2 
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Let: Mh 



\j ^^l^ {x'2 


= X2) 


V A/'2 A {x[ 


= Xi) 


"V J^i A {x'2 


= X2) 


V A/'2 A {x[ 


= Xi) 


V M A A/'2 





(m, x) 



(m, x) 



Let: J^v 



H = 3xi,X2 : Initi A /n«^2 A □ J^h A Li A L2 
f/ = Initi A /n«^2 A □ J^u A Li A L2 
Prove: ^ Mi A M2 = if 
(2)1. ^ Ml AM2 = 3xi,X2:U 

AM V ((mi, xiY = (mi, a;i)) 
A A/'2 V ((m2, X2y = (m2, a;2))J 

y = /ni^i A Init2 A □ A^y A Li A L2 
(3)1. ^A/V=A/1/ 

Proof: Assumption (0):3, which implies 

\= M2 /\ ((mi, xiY = (mi, si)) = A/'2 A {x[ = xi) 
\= Ml /\ ((m2, X2y = (m2, a;2)) = A/'i A {x'^ = X2) □ 
(3)2. = U 

Proof: (3)1 and the definitions of V and U . D 
(3)3. ^ [A/'i](™i,^i> A [A/'2](™2,^2> = -^1^ 

Proof: The definition of m and a;. D 
(3)4. ^ Ml AM2 = 3xi,X2:V 

Proof: (3)3 and assumption (0):l(a), since □ distributes over A. D 
(3)5. Q.E.D. 
Proof: (3)2 and (3)4. □ 
(2)2. ^H^MiAM2 

Proof: (2)1, since \= Mr =^ Mu- D 
(2)3. ^MiAM2^H 
Assume: ^ Mi A M2 
Prove: a \= H 

(3)1. Choose T such that r .^.^^ a and t \= U. 

Proof: t exists by assumption (2), (2)1, and the definition of 3. D 
Let: t] be the behavior such that, for all ra > 0: 



V2n-1 = Tn 

T]2n = if {xijiTn 

then 



[a;i](r„+i) or [a;2](r„) = [a;2](r, 



n+l) 



else the state such that [a;i](?72ra) = [s^iKt^+i) 



and 'r]2r. 



T.„. 
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{■q is the same as r except that each step is split in two. A step 
that changes both xi and X2 is split into a step that changes only 
xi followed by one that leaves xi unchanged. For a step that 
leaves xi or X2 unchanged, a stuttering step is added.) 
(3)2. For all n > 0, if [a;i](r„) / [a;i](r„+i) and [a;2](r„) / [a;2](r„+i) 
then (r„, t„_|_i) is an A/i A A/2 A (m' = m) step. 
Assume: [a;i](r„) / [a;i](r„+i) and [a;2](r„) / [a;2](r„+i). 
Prove: (r„, r„+i) is an Ai A A2 A (m' = m) step. 
(4)1. (r„, Tn+i) is an Al/ step. 

Proof: (3)1 (which asserts t \= U) and the definition of U. D 
(4)2. (r„, r„+i) is an A"! A A'2 step. 

Proof: Assumption (3), (4)1, and the definition of Al/- HI 
(4)3. Q.E.D. 

Proof: (4)2 and assumption (0):3. D 
(3)3. For all ra > 0, (?]„, ?7n+i) is an Mh step. 
Let: k = (ra + 1) div 2 

(4)1. Case: [a;i](rfc) = [a;i](rfc+i) or lx2}{Tk) = [a;2](rfc+i) 

(In this case, (?]„, ?7n+i) is a step of r or a stutter.) 

(5)1. {T]n, T]n+l) = (rfc, Tfc+i) Or = T]n+1. 

Proof: The definition of t] and case assumption (4). D 
(5)2. lxil{rin) = lxil{rin+i) or lx2}{Vn) = lx2}{Vn+l)- 

Proof: (5)1 and case assumption (4). D 
(5)3. {r]n, rjn+i) is an Mu step. 

Proof: (5)1, (3)1 (which asserts r \= U), and the definition of 

U. □ 
(5)4. Q.E.D. 

Proof: (5)2 and (5)3, since \= Afu A {{x[ = xi) V {x2 = X2)) =^ 

(4)2. Case: ra = 2A; - 1, lxi}{Tk) / lxi}{Tk+i), and 
M(rfc)/M(rfc+i). 

(In this case, (?]„, ?7n+i) is a step that changes only xi.) 
(5)1. ?7„ = Tfc, [a;i](?7„+i) = [a;i](rfc+i), and T]n+i =xi Tk 

Proof: The definition of t] and case assumption (4). D 
(5)2. {vk, Tfc+i) is an Ai A A2 A (m' = m) step. 

Proof: (3)2 and case assumption (4). D 
(5)3. [m](?7„) = [m](rfc) and [m](?7„+i) = [m](rfc+i) 

Proof: (5)1 implies [rai](?7„) = [m](rfc), (5)1 and assumption 

(0):l(a) (which implies that no variable in xi occurs in nii or 
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m2) imply [m](?7„+i) = [m](rfc), and (5)2 implies [m](rfc) = 
lm}{n+i). □ 

(5)4. IxiJirin) = lxi}{Tk) and = [a;i](rfc+i) 

Proof: (5)1. □ 
(5)5. (m, xi) contains all variables free in A/i. 

Proof: Assumption (0):2 and the definition of Mi. D 
(5)6. {r]n, rjn+i) is an Mi step 

Proof: (5)2, (5)3, (5)4, and (5)5. □ 
(5)7. {rjn, rjn+i) is an x'^ = x^ step. 

Proof: (5)1 and (0):l(a), which implies that xi and x^ have no 

variable in common. D 
(5)8. Q.E.D. 

Proof: (5)6 and (5)7, since \= Mi ^ [x'^ = X2) Mr- D 
(4)3. Case: n = 2k, lxi}{Tk) / [a;i](rfc+i), and 
M(rfc)/M(rfc+i). 

(In this case, (?]„, ?7n+i) is a step that leaves xi un- 
changed.) 

(5)1. T]n+i = Tk+i, lxil{T]n) = [a;i](rfc+i), and r/,. 

Proof: The definition of t] and case assumption (4). D 
(5)2. (rfc, Tk+i) is an M2 step. 

Proof: (3)2 and case assumption (4). D 
(5)3. [(m, X2)}{T]n) = l{m, X2)}{Tk) and 

[(m, X2)}{Vn+l) = {{m, X2)}{Tk+l). 

Proof: (5)1 and assumption (0):l(a), which implies that xi has 

no variables in common with X2 or m. D 
(5)4. (m, X2) contains all variables free in A/2. 

Proof: Assumption (0):2 and the definition of M2. D 
(5)5. {r]n, rjn+i) is an A'2 step 

Proof:(5)2, (5)3, and (5)4. □ 
(5)6. {rjn, rjn+i) is an x'l = xi step. 

Proof: (5)1. □ 
(5)7. Q.E.D. 

Proof:(5)5 and (5)6, since ^ A'2 A {x[ = xi) =^ Mr- D 
(4)4. Q.E.D. 

Proof: (4)1, (4)2, and (4)3. □ 
(3)4. T] ^ Initi A Init2 
(4)1. r ^ Initi A Init2 

Proof: The definition of U and (3)1 (which asserts r \= U). D 
(4)2. r,i = n 
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Proof: The definition of -q. D 
(4)3. Q.E.D. 

Proof: (4)1 and (4)2, since {PJip) = {PJipi) for any predicate P 
and behavior p. D 
(3)5. ?7 ^ Li AL2 
(4)1. 

(5)1. r ^Li 

Proof: (3)1 and the definition of U. D 
(5)2. For all ra > 0: 

1- mn-l = Tn 

2. [(m, xi)\{ri2n) = l{m, a;i)](r„) or 
[(m, xi)}{ri2n) = l{m, a;i)](r„+i) 
Proof: Part 1 follows from the definition of -q. Part 2 fol- 
lows from the definition of r] and (3)2, which implies [m](r„) = 
[m](r„_|_i) when the if condition in the definition is false. D 
(5)3. (m, xi) contains all variables occurring free in Li. 
Proof: Assumption (0):2 and the definition of Mi. D 

(5)4. T ^{m,xi) V 

Proof: (5)2. □ 
(5)5. Q.E.D. 
Proof: (5)1, (5)3, and (5)4. □ 
(4)2. 7? ^ L2 

(5)1. T^L2 

Proof: (3)1 and the definition of U. D 
(5)2. 1] T 

Proof: The definition of 77. D 
(5)3. Q.E.D. 

Proof: (5)1, (5)2, and assumption (0):l(a), which implies that 
xi does not occur free in L2. D 
(4)3. Q.E.D. 
(3)6. v^H 

Proof: (3)3, (3)4, and (3)5, and the definition of if. □ 
(3)7. 

Proof: (3)1, which asserts r .^.^^ a, and the definition of r], 
which implies t] r. D 
(3)8. Q.E.D. 

Proof: (3)6, (3)7, and the definition of H. □ 
(2)4. Q.E.D. 
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« )] (mm, xx) 



(1)3. Case: ra > 2, and the theorem holds with p substituted for ra, for all 
p < n. 

Let: mm = (mi, . . . , m„_i) 

XX — {p^\i • • • 7 "^n — X) 

XX{ — (^1? • • • ^i — li 7 • • • 7 ^n — l) 

Proof: 

by propositional logic 
= A 3xx : A Ai<n-i -^y^J^i 

A □ rv.<„-i A/;- A (a;. = 

A A„-i L, 

A M„ 

by case assumption (1), with ra — 1 substituted for p 
= 3a; a;, Xn '■ A /\ Initi 

V A Vi<n-i -^i A (a?a;' = f^i) 
AD A(a;; = a;„) 

V Afn A = in) 

by case assumption (1), with 2 substituted for p 

= 3 a; : Ar=i^™^«- A □[ VILi A/'^' A (^^ = ^.)](m,4 A AILi □ 
(1)4. Q.E.D. 

Proof: (1)1, (1)2, (1)3, and mathematical induction. D 



(mm, XX ^ ^mXn) 



A. 2. 6 Decomposition and Composition 

Theorem 1 is an immediate consequence of Theorem 2. The proof of The- 
orem 2 assumes Theorem 3, but Theorem 2 is not used in the proof of any 
lemma or theorem, so there is no circularity. 
Theorem 2 

Assume; For i = 1, . . . ,n: 

n 

1. ^C{E)A /\C{Mj) ^ 

3 = 1 

2. a.^C{Ei)+,AC{Ml) C{Mi) 
b. ^ E, AMI ^ M, 

3. V is a tuple of variables including all the free variables of Mi. 

n n 

Prove; a. ^ C(^)+^ A /\C(Mj) ^ /\C{M,) 

3=1 3=1 
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(1)1. For any E, Ei, and Mi satisfying assumptions (0):l-3, and all 

n 

t=l,...,n: ^ (/\Mj) ^ (^i>M,) 
j=i 

(2)1. For i = 1, . . . , n: ^ Mj ^ {Ej ±P Mj) 

(3)1. For i = 1, . . . , n: ^ C(M/) ^ {C{Ei) % C(M,)) 

Proof: Assumption (0):2(a), Lemma 1(2), assumption (0):3, and 

Lemma 11. D 
(3)2. For i = 1, . . . , n: ^ M/ ^ {E, => Mi) 

Proof: Assumption (0):2(b). D 
(3)3. Q.E.D. 

Proof: (3)1, (3)2, and Lemma 2(2). □ 

n 

(2)2. For i = 1, . . . , n: ^ { /\{Ej ±P Mj)) ^ {E ±P M,) 

3 = 1 

Proof: The Composition Theorem (Theorem 3), with Mi substituted 
for M, where hypothesis 1 of the Composition Theorem follows from 
assumption (0):1, and hypotheses 2(a) and 2(b) are vacuous when Mi 
is substituted for M. D 
(2)3. Q.E.D. 

Proof: (2)1, (2)2, and propositional reasoning. D 
(1)2. Conclusion (a) holds. 

n 

(2)1. For^= 1,... ,n: ^ (A'^(^i)) ^ {C{E) ^ C{M,)) 

Proof: (1)1, substituting C{E) for E, C(Mj) for Mj, and C(M,) for M,. 
Since C is idempotent, this instantiation changes only assumption 2(b), 
which becomes \= C{Ei) AC{M-) =^ C{Mi). This assumption follows 
from 2(a), since \= P ^ P+v, for any P. D 

n 

(2)2. For^ = 1,... ,n: ^ ( /\ C(Mj)) ^ (C(^)+, ^ C(M,)) 

j=i 

Proof: (2)1, assumption (0):3, and Lemma 11. D 
(2)3. Q.E.D. 

Proof: (2)2 and Lemma 1(2) (conjoining over all i). D 
(1)3. Conclusion (b) holds. 

n 

(2)1. ^^A(/\Mj) ^M, 
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Proof: (1)1 and Lemma 2(2). D 
(2)2. Q.E.D. 

Proof: (2)1 (conjoining over all i). □ 
(1)4. Q.E.D. 

Lemma 18 

Assume; For i = 1, . . .,n: 

0. Mi is a safety property. 

1. E and Ei are safety properties. 

n 

2. ^{E^ /\M,) E, 

n n 

Prove; ^ { /\{E, ±^ M,)) ^ {E ^ { /\M,)) 

Proof: Aj=i(^j^Mj)) 

^ (A^=ii?,)^(A-=iM,) _ 

Lemma 5 and assumptions (0):0 and (0):1 

assumption (0):2 and Lemma 7, substituting E for i?, 
A"=i E, for P, and A"=i M, for Q. □ 

Theorem 3 

Assume; For i = 1, . . .,n: 

n 

1. ^C{E)A /\C{M,) E, 

n 

2. a. ^ C{E)+^ A /\C{Mj) =^ C{M) 

3 = 1 

n 

b.^EA /\Mj =^ M 

n 

Prove; ^ /\ {E^ % M^) =^ {E ±p M) 

(1)1. h(A-=i(C(i?,)%C(M,))) ^ (C(i?)%(A^=iC(M,))) 

Proof: Assumption (0):1 and Lemma 18, since \= Ei =^ C{Ei) (because 
C is superdiagonal). D 

(1)2. h(C(i?)%(A-=iC(M,))) {C{E)±i>C{M)) 
Proof: Assumption (0):2(a) and Lemma 12. D 

(1)3. ^ {A]^,{E, ±i> M,)) ^ (E^M) 
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(2)1. ^c{E)^{K^^,{C{E,)±PC{M,))) ^ KUm,) 

Proof: (1)1 and Lemma 3(2). D 
(2)2. ^E^{^^{E, ±i> M,)) ^ A-=iC(M,) 

Proof: (2)1, since \= E =?- C{E) (because C is superdiagonal) and 

^ {Ej % Mj) =^ {C{Ej) ±i> C{Mj)) by Lemma 2. □ 
(2)3. ^EA{^]^,{E,±i>M,)) => A-=ii?, 

Proof: (2)2 and assumption (0):1, since C is superdiagonal. D 
(2)4. ^EA{A]^,{E,±i>M,)) ^ A^=iM, 

Proof: (2)3 and Lemma 3(2). □ 
(2)5. ^EA{^]^,{E,±i>M,)) ^ M 

Proof: (2)4 and assumption (0):2(b). D 
(2)6. Q.E.D. 

Proof: (2)5. □ 
(1)4. Q.E.D. 

Proof: (1)1 and (1)2, which imply 

n 

h /\{C{E,)±i>C{M,)) ^ iC{E)±i>C{M)) 
(1)3, and Lemma 2(2). □ 



57 



58 



References 



[1] Martm Abadi and Leslie Lamport. The existence of refinement map- 
pings. Theoretical Computer Science, 82(2):253-284, May f99f. 

[2] Martin Abadi and Leslie Lamport. An old-fashioned recipe for real 
time. Research Report 9f, Digital Equipment Corporation, Systems 
Research Center, f992. An earlier version, without proofs, appeared in 
[9, pages 1-27]. 

[3] Martin Abadi and Leslie Lamport. Composing specifications. ACM 
Transactions on Programming Languages and Systems, 15(1):73-132, 
January 1993. 

[4] Martin Abadi and Gordon Plotkin. A logical view of composition and 
refinement. Theoretical Computer Science, 114(1) :3-30, June 1993. 

[5] S. Abramsky and R. Jagadeesan. Games and full completeness for 
multiplicative linear logic. Technical Report DoC 92/24, Department 
of Computing, Imperial College of Science, Technology, and Medicine, 
1992. 

[6] Bowen Alpern and Fred B. Schneider. Defining liveness. Information 
Processing Letters, 21(4):181-185, October 1985. 

[7] Christian Berthet and Eduard Cerny. An algebraic model for asyn- 
chronous circuits verification. IEEE Transactions On Computers, 
37(7):835-847, July 1988. 

[8] Pierre Collette. Application of the composition principle to Unity-like 
specifications. In M.-C. Gaudel and J. -P. Jouannaud, editors, TAP- 
SOFT'93: Theory and Practice of Software Development, volume 668 
of Lecture Notes in Computer Science, pages 230-242, Berlin, 1993. 
Springer- Verlag. 

[9] J. W. de Bakker, C. Huizing, W. P. de Roever, and G. Rozenberg, 
editors. Real-Time: Theory in Practice, volume 600 of Lecture Notes 
in Computer Science. Springer- Verlag, Berlin, 1992. Proceedings of a 
REX Real-Time Workshop, held in The Netherlands in June, 1991. 

[10] Cliff B. Jones. Specification and design of (parallel) programs. In 
R. E. A. Mason, editor. Information Processing 83: Proceedings of 



59 



the IFIP 9th World Congress, pages 321-332. IFIP, North-Holland, 
September 1983. 

[11] R. P. Kurshan and Leslie Lamport. Verification of a multiplier: 64 bits 
and beyond. In Costas Courcoubetis, editor, Computer-Aided Verifica- 
tion, volume 697 of Lecture Notes in Computer Science, pages 166-179, 
Berlin, June 1993. Springer- Verlag. Proceedings of the Fifth Interna- 
tional Conference, CAV'93. 

[12] Leslie Lamport. What good is temporal logic? In R. E. A. Mason, 
editor. Information Processing 83: Proceedings of the IFIP 9th World 
Congress, pages 657-668, Paris, September 1983. IFIP, North-Holland. 

[13] Leslie Lamport. A simple approach to specifying concurrent systems. 
Communications of the ACM, 32(l):32-45, January 1989. 

[14] Leslie Lamport. The temporal logic of actions. Research Report 79, 
Digital Equipment Corporation, Systems Research Center, December 
1991. To appear in Transactions on Programming Languages and Sys- 
tems. 

[15] Carver Mead and Lynn Conway. Introduction to VLSI Systems, chap- 
ter 7. Addison- Wesley, Reading, Massachusetts, 1980. 

[16] Jayadev Misra and K. Mani Chandy. Proofs of networks of processes. 
IEEE Transactions on Software Engineering, SE-7(4):417-426, July 
1981. 

[17] Paritosh K. Pandya and Mathai Joseph. P-A logic — a compositional 
proof system for distributed programs. Distributed Computing, 5(1) :37- 
54, 1991. 

[18] Amir Pnueli. The temporal semantics of concurrent programs. Theo- 
retical Computer Science, 13:45-80, 1981. 

[19] Amir Pnueli. In transition from global to modular temporal reason- 
ing about programs. In Krzysztof R. Apt, editor. Logics and Models 
of Concurrent Systems, NATO ASI Series, pages 123-144. Springer- 
Verlag, October 1984. 

[20] Eugene W. Stark. A proof technique for rely/guarantee properties. In 
S. N. Maheshwari, editor. Foundations of Software Technology and The- 



60 



oretical Computer Science^ volume 206 of Lecture Notes in Computer 
Science^ pages 369-391, Berlin, 1985. Springer- Verlag. 

[21] Pamela Zave and Michael Jackson. Conjunction as composition. Sub- 
mitted for publication, June 1992. 



61 



62 



Index 



□ , 9 
3,9 

+, 17 
o, 5 

' (prime), 9 
±, 18-19 
=..., 35 
— 36 

=^, precedence of, 9 
17 

2, 18 
N, 8, 35 
• ••I..., 35 
|...|, 5 

(•••) 

enclosing atomic operation, 2 

sequence notation, 5 
[•••]..., 9 
[•••1,35 

A, list of, 9 
V, list of, 9 

action, 9 

next-state, 14 
angle brackets 

enclosing atomic operation, 2 

sequence notation, 5 
antimonotonic, 36 
assumption, environment, 2, 6, 28 
assumption/guarantee specification, 
6, 28 

behavior, 8 

intuitive interpretation of, 9 
Berthet, Christian, 33 
Boolean operator, 8 
brackets, angle 



enclosing atomic operation, 2 
sequence notation, 5 

C, 16, 35 
canonical form, 9 
Cerny, Eduard, 33 
Chandy, K. Mani, 31 
channel, 5 

circuit description as low-level spec- 
ification, 1 
circular reasoning, 24 
closure, 16 
closure, machine, 16 
Collette, Pierre, 33 
complete system, 2 

decomposition of, 1-4, 19-27 
component guarantee, 2 
composition, 1, 4-8, 28-31 
Composition Theorem, 29 
conditional implementation, 15 
conjunction of components, 22-24 
conjunction, list notation for, 9 
COSPAN, 33 
CSP, 31 

decomposition, 1-4, 19-27 
Decomposition Theorem, 24 
Decomposition Theorem, General, 
27 

Disjoint, 10 

disjunction, fist notation for, 9 

environment assumption, 2, 6, 28 

fairness 

strong, 9 
weak, 9 
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flexible variable, 8 
form, canonical, 9 
formula, TLA, 8 
function, state, 8 

GCD program, 2-4, 9, 20, 23, 25 
General Decomposition Theorem, 
27 

guarantee, 2, 6, 28 

Head, 5 
hiding, 1, 16 
Hoare triple, 31 

iff, 3 

implementation, 1 
conditional, 15 
indentation, eliminating parenthe- 
ses with, 9 
inductively deflned system, 27 
Init, 9 

input variable, 19, 21 
interface reflnement, 15 
interleaving representation, 10 
internal variable, 9 
invariant under stuttering, 35 

Joseph, Mathai, 31 

last, 35 

machine closure, 16 
mapping, reflnement, 12 
Misra, Jayadev, 31 
monotonic, 36 
multiplier 

recursive deflnition, 27 

veriflcation, 33 

next-state action, 14 
noninterleaving representation, 10 



number, statement (in proof), 36 

open system, 4 
operator 

Boolean, 8 

precedence of, 9 
output variable, 19, 21 

Pandya, Paritosh K., 31 
Plotkin, Gordon, 33 
Pnueli, Amir, 1, 31 
predicate, state, 8 
program as low-level speciflcation, 
1 

proof style, explanation, 36 

queue, 5-6, 10-12, 20-23, 30-31 
implemented by two queues, 
12-14 

real-time speciflcation, 15 
reflnement mapping, 12 
reflnement, interface, 15 

safety property, 8, 15 
semantics of TLA, 8-10 
sequences, notation for, 5 
SF, 9 

speciflcation 

assumption/guarantee, 6 

higher-level, 1 

low-level, 1 

real-time, 15 
Stark, Eugene W., 31 
state, 8 

state function, 8 

state predicate, 8 

statement number (in proof), 36 

step, 9 

stuttering, 1 
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strong fairness, 9 
stutter-free version of a behavior, 
35 

stuttering equivalent, 35 

stuttering step, 1 

stuttering, invariant under, 35 

subaction, 16 

superdiagonal, 36 

syntax of TLA, 8-10 

system 

defined inductively, 27 

open, 4 
system guarantee, 6, 28 
system, complete, 2 

Tail, 5 

Temporal Logic of Actions, 1 
TLA, 1, 8-10 

Unity, 33 
universe, 9 

valid, 8 
variable 

flexible, 8 

hiding of, 1, 16 

history, 31 

input, 19, 21 

internal, 9 

intuitive interpretation of, 9 
output, 19, 21 
primed, 9 

weak fairness, 9 
WF, 9 

Yu, Yuan, 33 
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